I think this has been mentioned before on HN. Finger prints, retina scans, brain scans are not passwords, they're userid's.
If the scanner could read a password out of my head then it would be a password. But merely knowing it's my brain isn't good enough (for secure transactions at least).
The trinity: Something you know, something you have, something you are.
Reading the article, the 'brainprint' seems to be more similar to a challenge/response password than an identity. The brainprint is the brain response to 500 images. It can therefore be changed and replaced by another response to another set of images.
It can be seen as a high security biometric challenge/response password mechanism which can not easily be eavesdropped or faked.
The brainprint is something you HAVE (the response) which is different from something you ARE (a fingerprint, a retina, a brain)
> different from something you ARE (a fingerprint, a retina, a brain)
How is "something you ARE" a useful classification? A fingerprint can be easily changed. And retina patterns could (probably already can) be faked too.
Biometric data makes for great usernames, but not so much for a password. How do you "reset" your brainwaves? The wishy-washy part of TFA on that made me question the entire premise.
That's not a complete complaint. If the password were your brainwaves, why would you still need to reset it? Did someone else steal your brain and you need to make sure they no longer have access?
That's what one-way hash functions are for. You never store the raw fingerprint data, just its unique salted hash so the data cannot be reused elsewhere.
It only takes one case of blatant disregard by a trusted source to spoil the entire process. What do you do when the scandal leaks that X Co didn't do due diligence and now 100 million of their customer's brainprints are leaked and able to be compromised?
That's the same reasoning for text passwords, yet there are huge password dumps every year.
It only takes one place where security standards aren't implemented properly to have your print leaked forever.
Never mind a malicious user managing to alter the code to leak the print before it's hashed.
Or even someone physically accosting you and retrieving a brain scan. They could do the same thing and force you to give up a password, but at least the password you can change later on.
> Or even someone physically accosting you and retrieving a brain scan. They could do the same thing and force you to give up a password, but at least the password you can change later on.
For that matter, a password is always your choice to reveal or not, taking the cost and alternative into account. Biometric information isn't.
No they don't. American credit cards handle it the right way already with minimal technology around security. Make a good-faith attempt to validate, but generally treat the transaction as legitimate. If it was not, help law enforcement investigate, and make the compromised party whole as a cost of doing business. Bonus points if you can extort that last part from your vendor in the contract you have with them.
I don't remember where I heard it but someone said something along the lings of "You shouldn't use something that you leave everywhere and can never change as a secure token"
Right, and password should be voluntarily entered. This system would be able to steal my password, e.g. unlocking my laptop, forcing me to look at some photo
Brainprints are not like retina scans and finger prints. They can't be read without you knowing and can be cancelled, as they are tied to a specific stimulus. If you want to change your brainprint password, just change the image it's coded to.
In the experiment, they used only 50 subjects and they were able to distinguish between all of them. For me, it's not clear that the "100%" will be maintained when they use a larger group.
Also, in the previous experiment they used 32 subjects and got a "97%". I'm not sure what that means, but I guess it's 31/32. So perhaps they reduced the error rate or perhaps they were lucky and didn't get the problematic subject / collision.
the cool thing about stuff like this (I am familiar with a few different efforts along this vein) is that you can combine something you are with something you know. the downside of fingerprints and retinas is they can be passively recorded and replayed, but with the brain, you could build an authenticator that only works when the user is cooperating with the authentication scheme, and, recording and replaying the electrical signal from the brain won't spoof the authenticator.
until you really refine the task down to take a few seconds and you have dry cap electrodes, it's still untenable, but progress has been made on the latter.
Well, people change over time. Not to mention trauma. Things could happen that change these "brain signatures". This experiment is really lacking seriousness.
38 comments
[ 3.5 ms ] story [ 83.2 ms ] threadI think that we can build a device that can capture a brainwave et replay it.
I want such a device that can play back into my own brain.
If the scanner could read a password out of my head then it would be a password. But merely knowing it's my brain isn't good enough (for secure transactions at least).
Reading the article, the 'brainprint' seems to be more similar to a challenge/response password than an identity. The brainprint is the brain response to 500 images. It can therefore be changed and replaced by another response to another set of images. It can be seen as a high security biometric challenge/response password mechanism which can not easily be eavesdropped or faked. The brainprint is something you HAVE (the response) which is different from something you ARE (a fingerprint, a retina, a brain)
How is "something you ARE" a useful classification? A fingerprint can be easily changed. And retina patterns could (probably already can) be faked too.
does my identity change?
(assuming one image is an apple)
http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...
Biometric data makes for great usernames, but not so much for a password. How do you "reset" your brainwaves? The wishy-washy part of TFA on that made me question the entire premise.
Password databases get compromised all the time; so would a "brainprint" database. You can change a password.
It only takes one place where security standards aren't implemented properly to have your print leaked forever.
Never mind a malicious user managing to alter the code to leak the print before it's hashed.
Or even someone physically accosting you and retrieving a brain scan. They could do the same thing and force you to give up a password, but at least the password you can change later on.
For that matter, a password is always your choice to reveal or not, taking the cost and alternative into account. Biometric information isn't.
Not working when drunk a potentially useful feature in some areas.
Also, in the previous experiment they used 32 subjects and got a "97%". I'm not sure what that means, but I guess it's 31/32. So perhaps they reduced the error rate or perhaps they were lucky and didn't get the problematic subject / collision.
I agree it is hard to tell if this result will be consistent with a larger sample pool.
TSA doing brainprint scans someday shudder
until you really refine the task down to take a few seconds and you have dry cap electrodes, it's still untenable, but progress has been made on the latter.
I mean, hell, how can it differentiate between sober and drunk? Or high? Or even sleep deprived?
Show me apple just after breakfast vs just before.
For some reason, this made me extremely annoyed. In terms of uncertainty, this is the largest chasm in the world.
It's NOT 100% accurate