Psychologists and engineers at Binghamton University in New York have hit a milestone in the quest to use the unassailable inner workings of your brain as a form of biometric identification. They came up with an electroencephalograph system that proved 100 percent accurate at identifying individuals by the way their brains responded to a series of images.
“It's a big deal going from 97 to 100 percent because we imagine the applications for this technology being for high-security situations,” says Sarah Laszlo, assistant professor of psychology at Binghamton who led the research with electrical engineering professor Zhanpeng Jin.
Perhaps only one other such experiment in the long quest for this ultimate biometric has hit the 100 percent mark, and the Binghamton system has some advantages over even that one. For one it proved itself with less complex equipment and in a larger group, identifying 50 people. But perhaps more importantly this new form of ID can do something fingerprints and retinal scans can’t: It can be “cancelled.”
That’s important because hackers have shown that fingerprints can be stolen and faked. For instance, in 2014 hackers claimed to have cloned German defense minister Ursula von der Leyen’s fingerprints just by taking a high-definition photo of her hands at a public event.
This new brain biometric, which its inventors call CEREBRE, dodges that problem because it’s based on the brain’s responses to a sequence of particular types of images, and those images can be changed or resorted to essentially make a new biometric passkey, should the other one somehow be hacked. (More on how Laszlo is trying to hack it below.)
CEREBRE, which they describe this month in IEEE Transactions in Information Forensics and Security, involves presenting a person wearing an EEG system with images that fall into several categories: foods people feel strongly about, celebrities who also evoke emotions, simple sine waves of different frequencies, and uncommon words. The words and images are usually black and white, but occasionally one is presented in color, because that produces its own kind of response.
Each image causes a recognizable change in voltage at the scalp called an evoked response potential, or ERP. Each category of image involves somewhat different combinations of parts of your brain, and they were already known to produce slightly differently shaped ERPs in different people. Laszlo’s hypothesis was that using all four would create enough different ERPs to accurately identify a person.
The EEG responses were fed to software called a classifier. After testing several schemes including a variety of neural networks and other machine-learning tricks, the engineers found that what actually worked best was a system based on simple cross-correlation.
In the experiments, each of the 50 subjects saw a sequence of 500 images flashed for 1 second per image. “We collected 500 knowing it was overkill,” she says. Once they crunched the data they found that just 27 images would have been enough to hit the 100 percent mark.
So, 27 seconds for a biometric passcode that’s embedded in your mind but that you can change if needed? Well, not quite yet.
The experiments were done using a high-quality research-grade EEG—30 sensitive electrodes attached to the skull with conductive goop. However, the data showed that the system only needs three of them for 100 percent identification, and Laszlo says her group is working on simplifying the setup. They’re testing consumer EEG gear from Emotiv and NeuroSky, and they’ve even tried to replicate the work with electrodes embedded in Google Glass, though the results weren’t spectacular, she says.
If the system can be adapted to consumer gear, it would put some pretty tough-to-crack biometric security in the hands of anybody who could afford it. But that’s not what Laszlo is really excited about. What she really wants is to try to hack CEREBRE.
How can you hack something that depends on your thought patterns? Assuming you already had access to the image sequence and a person’s EEG, one way, Laszlo explains, would be to flash light into a subject’s eye at precise times while they’re observing the images. These flashes are known to alter the shape of the ERP, though she doesn’t know if the shape would change enough to fool the CEREBRE classifier.
“The awesome part of this—the crazy science fiction part—is to see if the attitude of the hacker changes to be more like the” target of the hack, she says.