1(630)802-8605 Ravi.das@bn-inc.net

Yes, we all have come to hate our passwords in some form or another.  But yet, it is still the primary means in which we login both our personal and professional stuff. I am sure that all of you out there have had your fair share of password frustrations and tears.  In fact, my podcast guest yesterday said that he has some 250+ passwords for all his stuff both at home and work.

I asked him how he did it, and he said that he makes extensive use of a Password Manager. I have written about this before, and essentially this is a software package that enables you to store multiple, complex passwords.  It can even create them for in just a matter of seconds.

But, there is still reservation in Corporate America about the total, 100% adoption of these tools, so the trend now is to go onto the next available layer of protection:  Biometrics. With regards to this, we are seeing a huge increase in the use of Fingerprint, Iris, and even Facial Recognition.  Probably one of the biggest adopters of using Biometrics has been Apple with their TouchID and FaceID systems.

But even with Biometrics, as robust as the technology is in confirming the identity of the individual, you simply cannot rely on it as your only means of defense.  It is best used in conjunction with other Security tools, such as yes once again, the password, or even the PIN Numbers and Challenge/Answer questions.

So, is there another alternative? Well, I came across a news article in which researchers are determining in which how our brain perceives different stimuli from the outside world can be used as a potential way of confirming our identity.

Essentially, in these studies, the subject has electrodes placed onto their scalp, and they are presented with certain pictures. It was discovered, that amongst even two people, the brain waves that were recorded in reaction to these pictures were completely different.

The researchers claim that what is totally unique about this is that the brain reactions to these stimuli is completely automatic, and there is no way to control them.  Put it another way, it is the knee jerk reaction of our brain to external stimuli which makes us unique, and as a result, it can be considered almost hacker proof.

So it is with this mind, that these researchers have coined up a new term for this, called the “Brain Password”.  The pictures that the subject responds to can be just about anything, but they note that in order to keep the profile that is associated with the Brain Password the same (in other words, there should not be too much deviance), the same set of pictures or even stimuli should be used.

So, now the question is how would this work in the real world? Let us take the example of a Physical Access Entry application, in which an individual is trying to gain access to a building.  First, he or she would present some sort of documents confirming their identity, such as a driver’s license or a passport.  Heck, even the Biometric technologies described earlier could even be used as well.

After this part has been completed, the individual would then wear a specialized helmet, which would be outfitted with electrical sensors on the inside of it.  They would then be presented with the same set of pictures or stimuli, and the sensors would then record the associated brain wave patterns. This would then become the initial baseline profile (in fact, this process is almost identical to the “Enrollment Phase” in Biometrics).

But, in order to truly confirm the identity of the individual in question, he or she would then be subject to the same pictures and stimuli, and a second set of brain waves would then be recorded (again this is just like the “Verification Phase” in Biometrics) and compared against the baseline profile, the identity would then be confirmed, and as a result, that particular individual would then be able to gain access to that building.

The researchers claim that the crown jewel of creating a Brain Password is that if the profiles were ever hacked into, a new profile can be created almost instantly, because a new set of pictures or stimuli could be used to create a new profile.

Their hypothesis is that since in theory, there is an infinite amount of pictures and stimuli, there will also be a limitless amount of Brain Passwords that can be created, thus making it hacker proof, because they can be reset so many times.

They also state that when different pictures and external stimuli are used, each profile (which is actually the brain recording of the particular response to these pictures and stimuli – I did not clarify this earlier) will be completely different and unique.

My thoughts on this?

Well,  my first reaction to this is that creating a so called Brain Password is just way to user invasive – just like Retinal Recognition was back in the 1970s’.  To the researchers credit, they did address this issue in the article.

For example, they first started out with about 32 sensors being placed inside the specialized helmet. But realizing that they need to collect the most reliable information/data with the least amount of data, they eventually reduced this down to just 3 sensors, thus making it more user friendly.

This research actually falls into the real of what is known as “Virtual Reality” (also referred to as “Augmented Reality”).  I don’t know too much about this area, but I plan to write a blog or two about it, as it is staring to make its way into Cyber security as well.

I have many areas of concern about this research, but the two that come out immediately are as follows:

*As it has been described, the brain react wildly and in different ways to even the same set pictures.  Thus, this can make the comparison of two baseline profiles difficult to accomplish.  As mentioned, this process is just like using Biometric Technology, but in the case here, at least the profiles that are collected are stable, and will not change, thus eliminating this problem.

*The researchers have also pointed out that there is a limitless amount of resets of Brain Passwords that are available in the case that they were ever hacked into. But this is the same problem with passwords, here too, we have an unlimited amount that can be created, thus driving up the administrative costs for this even higher.

Although I have been in Biometrics for a very long time, and my opinion may sound extremely biased, I still feel that this technology is the best alternative to passwords – after all, they are stable over the lifetime of an individual, and the cost of a reset is minimal.  The adoption rate of using this has just started to increase, so perhaps more time should be given here before jumping onto more out of the world solutions.

Do I envision the Brain Password used in commercial applications?  Frankly I do not, at least not here in the United States.  It could very well evolve in other parts of the world, but here, the issue of Privacy Rights and Civil Liberties will far outstrip any benefits that it could bring to the table.

Rather than focusing upon this type of “James Bond” or “Star Trek” type of research, I think resources should be devoted to what we have now and make them better in order fight off the Cyber attacker.

Finally, if you want to see more details on this research, here are some links:

https://www.eurekalert.org/pub_releases/2015-06/bu-brt060215.php

https://www.sciencedirect.com/science/article/pii/S0925231215004725?via%3Dihub