Brainprints hit 100% accuracy at identity verification

library
crime | hacking | security

Brainprint. Bee. Lady Gaga.

When you read those words, the part of your brain that assigns meaning to words sparkled, firing neurons in a pattern that’s both consistent and unique to each of us.

It’s called, in fact, a brainprint: a biometric attribute that researchers have been studying for use in authentication for years.

If researchers had strapped what’s basically a swimcap outfitted with electrodes – otherwise known as an electroencephalogram headset – on your head, they could have recorded your brainwaves, emitted in less than a second per word, as you read, and thus would have come away with a way to tell that you are really you.

You’ve likely heard of this form of biometric before: back in 2007, for example, scientists were looking at identifying people via unique patterns of brain activity.

More recently, in May 2015, researchers at the Basque Center for Cognition and Binghamton University published a study detailing their attempts to identify individuals by their brains’ reaction to acronyms (e.g., FBI, DVD).

At the time they published their original study in the academic journal Neurocomputing, the team had achieved a decent accuracy rate in identifying individuals by brainprint.

The researchers were able to identify, with 97% accuracy, one person out of a group of 32 by that person’s responses to words or images that flashed on a monitor for half a second.

To achieve even that level of not quite good enough accuracy, they had to find a way to filter out all the noise that a human brain produces and which makes it tough to pick up clean measurements.

They did so by focusing on brainwaves from one particular region of the brain that’s associated with the task of reading and recognizing words, thus cutting through the chatter to attain a clearer signal that can be measured more quickly.

There are various types of memories: episodic memories that record experience, and semantic memories that simply record word meanings.

Semantic memories are subtly different for each of us, making them potentially useful for authentication. They also don’t tend to change much over time, as opposed to episodic memories.

The team has since managed to refine its efforts yet further, to achieve 100% accuracy.

As described in a magazine put out by Binghamton, the team recorded the brain activity of people wearing an electroencephalogram headset while they looked at a series of 500 images designed specifically to elicit unique response: e.g., a slice of pizza, a boat, Anne Hathaway, the word “conundrum,” the strong pro or con most of us feel when presented with sushi.

Again, each image flashed on a monitor for only half a second.

They were spot on, 100% of the time, when identifying one person out of a group of 30.

The magazine quotes one of the team leaders, Binghamton Assistant Professor of Psychology Sarah Laszlo:

When you take hundreds of these images, where every person is going to feel differently about each individual one, then you can be really accurate in identifying which person it was who looked at them just by their brain activity.

Choosing images that tend to elicit a strong reaction seems to have been one of the refinements: for example, the team used images of sushi.

If you’ve ever eaten it, you probably fall into one of two camps: you think it’s sublime, or you think it’s slimy.

Either way, your brain’s kneejerk – also known as nonvolitional – response will be decisive.

Assistant Professor of Electrical and Computer Engineering Zhanpeng Jin, another leader of the research team, told the Binghamton magazine that the team’s research on brainprints has been more successful than past efforts to use brain activity as a biometric in part because they focused on nonvolitional brain response rather than active thinking:

The key idea is that we want to identify and recognize the individual person based on their inside thinking. Inside-brain activity is not visible to anyone else.

Even more exciting is that we want to use a nonvolitional response. That means even the user cannot be aware of it.

There are yet more benefits to brainprints when compared with other forms of biometrics.

To recap, the problems with biometrics to date have included:

Fingerprint workarounds: There’s always the possibility of cutting off an authenticating finger, but that’s quite Hollywood. There’s also a far less James Bond villainesque technique: that of creating a fake fingerprint made of wood glue. That’s how researchers have fooled fingerprint scanners in both the Galaxy S5 and the iPhone 5s Touch ID.

Retina/iris scan workarounds: Researchers have shown that iris or retina scanners can be tricked, similar to how it’s done with fingerprint scanners: the replica is a digital iris imprint reconstructed from digital images of an eye.

The problem is, you can’t cancel the authentication factor if it’s a finger or an eyeball: you can’t simply grow new ones if they get (unfortunately) lost, damaged, or (more flinch-worthy still) stolen.

But brainwaves can’t be lost or stolen.

You can’t cut off somebody’s brain: that would render it quite incapable of producing the authentication factor that is a brainprint, given that it, and its former host, would both be dead.

And, unlike retinas or fingerprints, you can in fact change a brainprint: you simply reset it to whatever your brain registers when it views a different image.

Laszlo:

If someone’s fingerprint is stolen, that person can’t just grow a new finger to replace the compromised fingerprint – the fingerprint for that person is compromised forever.

Fingerprints are ‘non-cancellable.’ Brainprints, on the other hand, are potentially cancellable. So, in the unlikely event that attackers were actually able to steal a brainprint from an authorized user, the authorized user could then ‘reset’ his brainprint.

The ability to reset the brainprint could be used not only if a brainprint were somehow compromised by a criminal, but also if something traumatic – or even something positive and life-changing, such as childbirth – were to happen to change an individual’s reactions.

What if you threatened an individual, to try to force them to use their brainprints?

The researchers suspect it wouldn’t work, Jin said:

We think that you can’t even threaten somebody and have their brainprint still work, because if you threaten someone, say with violence, that makes them stressed out.

When you are stressed, your brain activity changes quite dramatically. We think that stress would prevent the person from being able to use his brainprint to authenticate the system.

Regardless of brainprints’ superiority over other biometrics, don’t expect to use them to unlock your mobile phone or log into banking sites anytime soon.

First drawback: that electrode-reading shower cap thing.

The technology is too expensive, too cumbersome and too time-consuming – it takes several minutes to collect a fresh brainprint for purposes of verification – to make sense for mass production and use in low-security applications, at least for now.

Rather, the researchers envision brainprints as potentially being used at checkpoints for high-security locations, such as military or nuclear facilities.

Jin:

The expense of the equipment and the amount of time that it takes to collect a brainprint is, at least now, much too long for someone to want to use it to get into an iPhone or get into a computer, because you don’t want to spend 2 minutes recording brain activity every time you want to look at your phone.

Quick note: Of course, the bit that’s missing from the “100% accuracy” claims in all of this is how the system behaves when it fails, or is confronted with an unknown person.

Differentiating between 30 different people from a known group with 100% accuracy is impressive. But what happens when a stranger shows up?

Does the system reject everyone else? Does it admit everyone else? Or does it randomly match every stranger with one of the 30 identities already in the group?

How security systems fail is at least as important as how they behave under ideal circumstances – because there are no “ideal circumstances” once cybercrooks enter the equation.