Professor John Chuang of UC Berkeley’s Center for Long-Term Cybersecurity, who leads a project on using brainwaves as passwords. Here, he wears a brain sensor device and his brainwave activity on the screen results from thinking of something specific. (Photo: Chuck Kapelle, UC Berkeley)

It is increasingly difficult to authenticate users on the internet. As phishing scams proliferate to capture and use passwords, new solutions are needed. The most typical response today is to turn to two-factor authentication, using both a password and a second method of identifying the user, like a text message or a fingerprint. But there are only a limited number of devices available to consumers to use for that second factor. And those systems are not necessarily secure; text-message-based authentication has already proved vulnerable to hackers.
The most common alternative “second factor” is biometrics, such as fingerprints or iris scans. Because biometrics are unique to users, they are a tempting means of authentication. But biometrics have their own flaws. Not least, they are increasingly hackable; researchers have already demonstrated they can replicate fingerprints with a surprising degree of accuracy, using only a high-resolution photograph. With 3D printers becoming more common, it may soon be possible to replicate an entire three-dimensional fingerprint. Even more importantly, biometrics are unchangeable. Once your fingerprints or iris scans are hacked, it’s like giving away a unique personal password for life.
But what if the future of authentication could involve a different type of biometrics: one that is both unique to the individual and changeable. At UC Berkeley’s Center for Long-Term Cybersecurity, we are supporting precisely such an approach. Led by Professor John Chuang, our researchers are studying how we create three-factor authentication, using our brainwaves (yes, really!) to lead the way.
Imagine wearing a small device in your ear, shaped like an earbud. Now think a phrase, let’s say “Mary had a little lamb.” Now imagine that, as you think the phrase, the small device reads your brainwaves, using an EEG sensor. It identifies a particular pattern of brainwaves. Now think the phrase again. In early studies, our researchers have uncovered that you will see a repeatable pattern of brainwaves, when provoked by the same thought. Even better, if I think the same phrase that you were thinking, I will have a repeatable pattern—but it won’t be the same as yours.
If Professor Chuang’s team is successful, we can imagine a future of not just two, but three-factor authentication using this technology.

  • First, there is the possession factor, as you plug the earbud-style device into your ear;
  • Second is the knowledge factor, the ‘passthought’ that you think;
  • And third is the biometric factor, the repeatable brainwave pattern that results from your thoughts. Algorithms will identify a “match” between past examples and the current thought pattern.

In addition to adding an additional factor, there are two huge benefits to this type of authentication. First, it is simultaneous. Unlike those annoying text messages or passcodes plus fingerprints, all three factors here work at once. And second, unlike other biometrics, this technique is changeable. When your fingerprint gets hacked, you’re toast. When your brainwave pattern gets hacked, it’s no big deal; just change your passthought (switch from “Mary had a little lamb” to “Three Blind Mice”) and a new pattern will recur.
It’s worth considering that other technologies are coming down the pipeline that may eventually threaten even three-factor authentication. Artificial intelligence and machine learning were two hot topics at the major security conferences this year, and we have to imagine that adversaries will seek to use them to infiltrate any new type of authentication we use. If brainwave patterns are predictable, then machine learning could eventually use your pattern from one passphrase to predict another. Moreover, adversaries could try to trick the algorithms designed to match brainwaves, training them on faulty data so that they can no longer identify a brainwave match.
Luckily, our researchers at UC Berkeley are working on these problems (or early versions of them) as well. A number of our faculty are working on adversarial machine learning techniques to make sure that machine learning remains effective against a malicious opponent. And we are also working on stronger encryption to make it harder for adversaries to hack in the first place.
If one thing is for certain, it is that passwords are not the future of authentication online. With new techniques like “passthoughts,” we’re hoping to create a more secure online future.