There's little doubt that the traditional password is in danger of being replaced — much has been written about its vulnerabilities and flaws, and organizations like DARPA and Google are hard at work looking for alternatives. Biometric sensors like the fingerprint scanner are one option, but some students and researchers from UC Berkeley are taking a more mental than physical approach to security. Using an off-the-shelf, consumer-oriented headset with a built-in electroencephalogram (EEG), the team developed a way for users to log in and authenticate their identities using only their brain waves.
The impetus for this project came from the availability of low-cost EEG sensors — while researchers have long proposed using EEGs to authenticate users with "passthoughts," previous hardware was both expensive and invasive. However, the UC Berkeley team was able to use the Neurosky Mindset, a $199 dollar headset that looks like a standard pair of bluetooth headphones with a single EEG probe attached to it. The question was then whether or not that single sensor would provide enough of a quality brainwave signal to effectively authenticate users. After selecting customized thought-tasks for each user and calibrating the headset for each user's "authentication threshold," the system returned error rates of less than one percent.
Another blow struck against the venerable but aging password
The last hurdle involved determining what specific mental tasks would be best-suited to this type of authentication — the team wanted the interaction to be as user-friendly as possible. To find the most suitable tasks, the team measured the brainwaves of test subjects performing seven different mental activities to authenticate their identify. Research showed that the best tasks for this setup were ones that users didn't mind repeating on a daily basis — the tasks need to be easy, but not too boring. Imagining singing a song or counting objects of a specific color worked well, while more mundane tasks like imagining sliding your finger were too boring. Users also didn't want to choose their own task — they ended up choosing something too complicated or difficult to repeat. While EEG hardware will need to become more commonplace before such an authentication system can be widely implemented, the simplicity and low cost of newer sensors means this system might have a shot.