Authenticating With Our Minds

Designed By-Jyothish sirigidiAITAM Tekkali

A novel idea for user authentication called pass-thoughts is presented now.

Recent advances in Brain-Computer Interface (BCI) technology indicate that there is potential for a new type of human-computer interaction: a user transmitting thoughts directly to a computer.

Overview of Brain Computer Interface

A brain-computer interface (BCI), sometimes called a direct neural interface or a brain-machine interface, is a direct communication pathway between a human or animal brain and an external device.

There are two types of BCIs

One Way BCIs

Two Way BCIs

Working of BCI

Cerebral electric activity is recorded via the electroencephalogram (EEG): electrodes, attached to the scalp, measure the electric signals of the brain.

The electrical activity in the brain is measured by 128 electrodes affixed to the person’s scalp, as for an electroencephalogram (EEG).

These signals are amplified and transmitted to the computer, which transforms them into device control commands.

It is possible to operate devices which are connected to the computer; such a communication can even be done via the internet.

Possible applications for BCIs

Mental typewriter: that translates thoughts into cursor movements on a computer screen, allowing paralyzed patients to write texts.

To control a prosthetic device.

For creating a whole new class of video games.

Can be integrated in active car safety systems.

Video Games

Type Writer

Textual Passwords

Popularity is due to:Low costUser familiarityLack of other alternatives.

Limitations:Passwords have low entropy in practice (making them

susceptible to dictionary attacks).Often difficult to remember.Vulnerable to “shoulder surfing”.Acoustic attacks.

Graphical Passwords

People have a remarkable memory for pictures.

Recall-based graphical password schemes include:Draw-A-SecretA user to click on parts of a presented image.

Limitations:Graphical password schemes are vulnerable to

shoulder-surfingGuessing attacks.

Biometric Systems

Authentication is done by using the unique physical or behavioral characteristics of users like:

Fingerprints. Iris. Voice recognition. On-line (handwritten) signature verification. Keystroke dynamics.

Limitations:They cannot be easily changed.This characteristic, combined with the threat of theft

leaves biometrics unsuitable for remote authentication.

Smart Cards

Smart cards can be used to securely authenticate users to remote servers, but at the cost of per user hardware tokens.

Pass Thoughts: Authenticating With Our Minds

There is uniqueness within our brains.

Two different thoughts by the same person to result in distinguishable signals.

It is plausible that if two people think of the same thing, the brain signals emitted would be distinguishable.

A pass-thought could be the measured response to a stimuli (e.g. pictures, music, video clips, or the touch of raised pin patterns).

A pass-thought could belong to:

A language (as in textual passwords)An image (as in graphical passwords)A type of (imagined) movementAn abstract thoughtAn emotionA memoryPieces of music can be represented by a

thought.

Current Status of BCI Technology

The first research relating to BCIs appeared in the 1960’s.

It is still in its infancy for a variety of historic reasons: The chance of extracting a user’s intended message (i.e. a

yes/no answer to a question) from brain signals appeared to be extremely remote.

It is only in recent years that the cost of computers with sufficient processing power to analyze electroencephalography (EEG) signals in real-time has become affordable.

There was not much resulting interest in the limited applications that a first generation BCI was likely to offer.

Basic design of a BCI system

FESIBLE PASS THOUGHTS BASED SYSTEM

Here pass-thoughts are considered exactly as password.

A scheme is proposed which uses evoked P300 potentials for a spelling device for the disabled.

WHAT IS P300??P300 potential is a positive potential that is evoked

about 300ms after surprising or exciting event.When the user sees the part of their “pass-thought” highlighted (see fig 3), a P300 spike is generated for the spelling device.

The results of P300 potential spikes are silently recorded and determined whether the user’s P300 firing matched the expected template that represents the account’s password.

This type of scheme could be used in conjunction with either textual or graphical passwords, where a sequence of letters, pictures, or points on a picture are highlighted at random times.

Electrodes record the P300 spikes generated by the user.

The results of BCI communication so far have low-bit rates, thus a yes/no answer can be assumed.

F is a set of P300 potentials.

Best algorithm to record P300 signals.

One-way hash function H is used to store the pass-thought.

The hashed pass-thought H(R) is compared upon input completion to stored pass-thought file hash for the user, and login success occur if they match.

SECURITY ANALYSIS

A pass-thought system is unobservable and resistant to shoulder-surfing attacks, acoustic attacks, interception attacks.

Using such a scheme, even if a particular pass-thought is successfully communicated, a social engineer’s brain signal may be different than the user upon thinking “the same thing”.

For these reasons, the size of pass-thought space might be sufficiently large to protect against most dictionary attacks.

Pass Thoughts: Authenticating With Our Minds

FUTURE OF PASS THOUGHTS

The ultimate goal of pass-thought system is to extract as much repeatable entropy as possible from a user’s brain signals upon “entering” a thought.

A signal S is recorded from a BCI which is processed into as many features F as possible.

From a series of repeated trials of entering pass-thought, the largest matching number of features R will be considered repeatable.

This R is a pass-thought,the repeatable subset of brain signal features which is stored in the system using “fuzzy” encryption.

Authentication token is provided to access device D.

To enable the device, pass-thought is used in place of PIN number.

Candidate token may be cell phone or PDA, which reduces risk of recording pass-thought in hardware tap.

This tapping problem is not solved by this solution, but moves from per-system to pre-user.

Look and feel for hardware interface by providing headphones.

Why Pass-Thoughts?

Primary benefits of pass-thoughts are visually unobservable and silent.

Eye-gaze tracking.

Flexible nature of pass-thoughts. Increasing complexity of pass-thought implies longer thought.

Thoughts cannot be shared as they are not describable by communication mediums.

MANY AREAS OF FUTURE WORK

Understanding brain phenomenon.

Acquisition of brain signals.

Extraction of features.

Algorithms to aid in repeatability of a “transmitted” thought.

Careful in processing and extracting parts of the signal which will decrease the amount of information provided by pass-thought.

Low training time for user acceptance.

Conclusion

A user authenticates to a device by “transmitting” a thought. This transmission would occur through a Brain Computer Interface (BCI).

The advantages of pass-thoughts over many of the existing authentication technologies include: Changeability. Shoulder surfing resistance. Protection against theft. User non-compliance.

Disadvantages of pass-thought authentication include the requirement for a new hardware component (including electrodes) to record the user’s brain signals.

Thank You…