38 comments

[ 3.5 ms ] story [ 83.2 ms ] thread
Well, It's not like we are gonna wear an EEG 24/7 just to unlock our smartphone or pass security at work...

I think that we can build a device that can capture a brainwave et replay it.

> I think that we can build a device that can capture a brainwave et replay it.

I want such a device that can play back into my own brain.

I see a huge market here for replaying orgasms.
I think this has been mentioned before on HN. Finger prints, retina scans, brain scans are not passwords, they're userid's.

If the scanner could read a password out of my head then it would be a password. But merely knowing it's my brain isn't good enough (for secure transactions at least).

The trinity: Something you know, something you have, something you are.

Reading the article, the 'brainprint' seems to be more similar to a challenge/response password than an identity. The brainprint is the brain response to 500 images. It can therefore be changed and replaced by another response to another set of images. It can be seen as a high security biometric challenge/response password mechanism which can not easily be eavesdropped or faked. The brainprint is something you HAVE (the response) which is different from something you ARE (a fingerprint, a retina, a brain)

> different from something you ARE (a fingerprint, a retina, a brain)

How is "something you ARE" a useful classification? A fingerprint can be easily changed. And retina patterns could (probably already can) be faked too.

what happens when instead of my association of apples to keeping doctors away changes to Isaac Newton and Gravity.

does my identity change?

(assuming one image is an apple)

Yup, you just nailed it. Here is the best writing on just that I've found (and have shared before on HN):

http://blog.dustinkirkland.com/2013/10/fingerprints-are-user...

Biometric data makes for great usernames, but not so much for a password. How do you "reset" your brainwaves? The wishy-washy part of TFA on that made me question the entire premise.

That's not a complete complaint. If the password were your brainwaves, why would you still need to reset it? Did someone else steal your brain and you need to make sure they no longer have access?
> Did someone else steal your brain and you need to make sure they no longer have access?

Password databases get compromised all the time; so would a "brainprint" database. You can change a password.

That's what one-way hash functions are for. You never store the raw fingerprint data, just its unique salted hash so the data cannot be reused elsewhere.
It only takes one case of blatant disregard by a trusted source to spoil the entire process. What do you do when the scandal leaks that X Co didn't do due diligence and now 100 million of their customer's brainprints are leaked and able to be compromised?
That's the same reasoning for text passwords, yet there are huge password dumps every year.

It only takes one place where security standards aren't implemented properly to have your print leaked forever.

Never mind a malicious user managing to alter the code to leak the print before it's hashed.

Or even someone physically accosting you and retrieving a brain scan. They could do the same thing and force you to give up a password, but at least the password you can change later on.

> Or even someone physically accosting you and retrieving a brain scan. They could do the same thing and force you to give up a password, but at least the password you can change later on.

For that matter, a password is always your choice to reveal or not, taking the cost and alternative into account. Biometric information isn't.

Or messing with the RNG so that the salt isn't actually random. That would never happen :)
(comment deleted)
Security measures are going to have to deal with situations where people are potentially acting under compulsion and need plausible deniability.
No they don't. American credit cards handle it the right way already with minimal technology around security. Make a good-faith attempt to validate, but generally treat the transaction as legitimate. If it was not, help law enforcement investigate, and make the compromised party whole as a cost of doing business. Bonus points if you can extort that last part from your vendor in the contract you have with them.
I don't remember where I heard it but someone said something along the lings of "You shouldn't use something that you leave everywhere and can never change as a secure token"
Given they are measuring a response to a photo, change the photo? This seems much more like challenge-response than other forms of biometric data.
Right, and password should be voluntarily entered. This system would be able to steal my password, e.g. unlocking my laptop, forcing me to look at some photo
Brainprints are not like retina scans and finger prints. They can't be read without you knowing and can be cancelled, as they are tied to a specific stimulus. If you want to change your brainprint password, just change the image it's coded to.
> Will it still work when I'm drunk?

Not working when drunk a potentially useful feature in some areas.

It would probably be better if it still works, but is able to read your state ie figure out whether you are drunk or not.
In the experiment, they used only 50 subjects and they were able to distinguish between all of them. For me, it's not clear that the "100%" will be maintained when they use a larger group.

Also, in the previous experiment they used 32 subjects and got a "97%". I'm not sure what that means, but I guess it's 31/32. So perhaps they reduced the error rate or perhaps they were lucky and didn't get the problematic subject / collision.

For the earlier experiment, subjects were presented with words, not images. This is (ostensibly) what lowered the error rate.

I agree it is hard to tell if this result will be consistent with a larger sample pool.

If you use Laplace succession then 50/50 corresponds to an expected success rate of 51/52 = 98%. If you use the KT estimator you get a hair over 99%.
I wonder if this is like rfid chips that were only supposed to work up to a couple feet away but special equipment can now read them far away.

TSA doing brainprint scans someday shudder

"Stand still and think of the worst experience of your life. Thank you, next!"
the cool thing about stuff like this (I am familiar with a few different efforts along this vein) is that you can combine something you are with something you know. the downside of fingerprints and retinas is they can be passively recorded and replayed, but with the brain, you could build an authenticator that only works when the user is cooperating with the authentication scheme, and, recording and replaying the electrical signal from the brain won't spoof the authenticator.

until you really refine the task down to take a few seconds and you have dry cap electrodes, it's still untenable, but progress has been made on the latter.

Well, people change over time. Not to mention trauma. Things could happen that change these "brain signatures". This experiment is really lacking seriousness.
What happens when you take LSD and suddenly all of your brainscan passwords fail?

I mean, hell, how can it differentiate between sober and drunk? Or high? Or even sleep deprived?

Also mood swings, being sexually aroused, etc.
I guess in that case I would appreciate a cortisol bomb preventing me from cashing out at an ATM at gunpoint.
and hungry.

Show me apple just after breakfast vs just before.

> "It’s only a three-point difference, but going from 97 to 100 percent [accuracy] makes possible..."

For some reason, this made me extremely annoyed. In terms of uncertainty, this is the largest chasm in the world.

Need to conceal your identity? Take some LSD before going to the airport.
TL;DR

It's NOT 100% accurate