Eliminate passwords and stop the hackers. That is the messaging heralded by many in the security industry. Passwords are lousy means of protecting sensitive data largely because users have the tendency to choose laughably bad passwords. Even having a great password does not offer total security either; WIRED writer Mat Honan tells how phishing attacks cracked his 19-character alphanumeric passwords:
“The age of the password is over,” Honan wrote more than three years ago. “Kill the P@55w0rd” the clever headline of a 5,000 word diatribe about how passwords are dead.
Think a jumble of characters can keep you safe? You’re wrong.
So, what to do about passwords?
Two-factor authentication is the answer, for now
Two-factor authentication has been the most popular method for adding layers of security to traditional passwords. Here, a user must prove a combination of two specific factors for access.
- Knowledge factor, like a password, or something else known only by a user.
- Possession factor, usually a small hardware device like a smart card, key fob or USB drive. The RSA SecurID Authenticator fobs are a popular example wherein a user supplies a time-stamp token generated by the fob, along with their password in order to gain access to restricted data.
- Inherence factor, which is a biometric quality specific to a user—like a fingerprint.
The knowledge + possession combination has become a commonplace two-factor authentication procedure. In fact, if you are one of the 425 million Gmail users in the world, you can opt in for two-factor authentication to protect your Google data.
Inherence factor authentication has mainstream use as well, with Touch ID fingerprint authentication on iOS and certain Android phones, like the Samsung Galaxy S5. For true two-factor authentication, fingerprints would need to be paired with a knowledge or possession factor—and it is possible to forge a fingerprint.
Two-factor authentication is all in your head—literally
The thing about two-factor authentication is that it is kind of a pain. Having to tote around a fob and remember a password seems easy, but remember that the most common password is 123456, and users generally dislike any sort of authentication at all.
Researchers may have found a way to achieve two-factor authentication using only brain waves. Professors John Chuang and Thomas Mailart of University of California, Berkeley and Benjamin Johnson of Carnegie Mellon University, found that consumer-grade headband-style electroenchephalography (EEG) devices are capable of securely unlocking a computer in lieu of a traditional passcode. Here is how they figured this out.
Research subjects were instructed to focus on a “passthought” for 10 seconds. The EEG headband collected the brain waves, transmitting them via Bluetooth, in turn setting the passthought as an authentication factor. User then were able to replicate the passthought to gain access. Researchers report their findings in a research paper My Thoughts Are Not Your Thoughts, citing EEG tests were nearly 100 percent accurate, with zero false lockouts.
The researchers contend that using passthoughts qualifies as two-factor authentication —it utilizes both the possession factor (your brain) and the knowledge factor (your thoughts).
Surprisingly, these aren’t really new findings. The technology used to achieve these lab results is actually about 10 years old. Only recently, though, has the technology been available to consumers. The researchers used a device called the Neorsky MindSet, which is very similar to the Muse Headband, shown below.
Like the MindSet, Muse measures EEG waves and transmits the signals via Bluetooth to a smartphone. So far, the product has been marketed as something to help people monitor stress levels—sort of like a fitness tracker for your brain. It lets you check in on yourself, offering a data-driven look at your mental well-being.
Programmers have introduced apps like Muse Calm that remind users to engage in breathing and relaxation when EEG waves indicate stress. So far, using Muse and EEG is limited to improving the headspace of the user. Now with EEG capture and transmission devices like Muse shown in a security and two-factor authentication context, a whole new world of research and development could open up for the technology.
Initial research shows low success rates for impersonators forging EEG signals. This might give EEG the potential to overtake fingerprint and retinal scans as the inherence factor of choice.
As cool as this technology is, surely users will complain about having to tote around an EEG headband and focus on a passthought for 10 seconds to gain access to their systems. Nonetheless, the findings here are exciting for two-factor authentication proponents.