ACM Digital Library home
ACM home
Advanced Search
10.1145/1146269.1146282acmotherconferencesArticle/Chapter ViewAbstractPublication PagesnspwConference Proceedingsconference-collections
Article

Pass-thoughts: authenticating with our minds

NSPW '05: Proceedings of the 2005 workshop on New security paradigmsSeptember 2005 Pages 45–56https://doi.org/10.1145/1146269.1146282
Published:20 September 2005Publication History
  • 95citation
  • 1,404
  • Downloads
Metrics
Total Citations95
Total Downloads1,404
Last 12 Months45
Last 6 weeks8

ABSTRACT

We present a novel idea for user authentication that we call pass-thoughts. Recent advances in Brain-Computer Interface (BCI) technology indicate that there is potential for a new type of human-computer interaction: a user transmitting thoughts directly to a computer. The goal of a pass-thought system would be to extract as much entropy as possible from a user's brain signals upon "transmitting" a thought. Provided that these brain signals can be recorded and processed in an accurate and repeatable way, a pass-thought system might provide a quasi two-factor, changeable, authentication method resistant to shoulder-surfing. The potential size of the space of a pass-thought system would seem to be unbounded in theory, although in practice it will be finite due to system constraints. In this paper, we discuss the motivation and potential of pass-thought authentication, the status quo of BCI technology, and outline the design of what we believe to be a currently feasible pass-thought system. We also briefly mention the need for general exploration and open debate regarding ethical considerations for such technologies.

References

  1. Martin Abadi, Michael Burrows, C. Kaufman, and Butler W. Lampson. Authentication and Delegation with Smart-cards. In Theoretical Aspects of Computer Software, pages 326--345, 1991. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. M. A. Arbib, editor. The Handbook of Brain Theory and Neural Networks, pages 178--181. The MIT Press, second edition, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. S. Bellovin and M. Merritt. Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In IEEE Computer Society Symposium on Research in Security and Privacy, pages 72--84, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. N. Bierbaumer, N. Ghanayim, T. Hinterberger, I. Iversen, B. Kotchoubey, A. Kubler, J. Perelmouter, E. Taub, and H. Flor. A Spelling Device for the Paralyzed. Nature, 398:297--298, 1999.Google ScholarGoogle Scholar
  5. N. Birbaumer, A. Kubler, N. Ghanayim, T. Hinterberger, J. Perelmouter, J. Kaiser, I. Iversen, and B. Kotchoubey. The Thought Translation Device (TTD) for Completely Paralyzed Patients, 2000.Google ScholarGoogle Scholar
  6. J.-C. Birget, D. Hong, and N. Memon. Robust Discretization, With an Application to Graphical Passwords. Cryptology ePrint Archive, Report 2003/168, 2003. http://eprint.iacr.org/, site accessed Jan. 12, 2004.Google ScholarGoogle Scholar
  7. M. Blum and N. J. Hopper. A Secure Human-Computer Authentication Scheme, 2000. http://www.aladdin.cs.emu.edu/papers/pdfs/y2001/manuel_blum.pdf, accessed Mar. 16, 2005.Google ScholarGoogle Scholar
  8. S. Brostoff. Improving Password System Effectiveness. PhD thesis, University College London, 2004.Google ScholarGoogle Scholar
  9. V. Brower. When Mind Meets Machine. EBMO Reports, 6(2):108--110, 2005.Google ScholarGoogle Scholar
  10. CERT Coordination Center. Vulnerabilities, Incidents, and Fixes, http://www.cert.org.Google ScholarGoogle Scholar
  11. M. D. Corner and B. D. Noble. Zero-Interaction Authentication. In International Conference on Mobile Computing and Networking, pages 1--11, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. J. Daugman. How Iris Recognition Works. IEEE Transactions on Circuits and Systems for Video Technology, 14(1):21--30, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. D. Davis, F. Monrose, and M. K. Reiter. On User Choice in Graphical Password Schemes. In 13th USENIX Security Symposium, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. R. Dhamija and A. Perrig. Déjà Vu: A User Study Using Images for Authentication. In 9th USENIX Security Symposium, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. W. Diffie, P. C. van Oorschot, and M. Weiner. Authentication and Authenticated Key Exchanges, volume 2 of Design Codes and Cryptography, pages 107--125. Kluwer Academic Publishers, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Y. Dodis, L. Reyzin, and A. Smith. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In Eurocrypt 2004, pages 523--540, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. E. Donchin, K. M. Spencer, and R. Wijesinghe. The Mental Prosthesis: Assessing the Speed of a P300-Based Brain-Computer Interface. IEEE Transactions on Rehabilitation Engineering, 8:174--179, 2000.Google ScholarGoogle ScholarCross RefCross Ref
  18. M. Doppelmayr, W. Klimesch, T. Pachinger, and B. Ripper. Individual Differences in Brain Dynamics: Important Implications for the Calculation of Event-Related Brain Power, 1998.Google ScholarGoogle Scholar
  19. D. E. Duncan. Implanting Hope. Technology Review: MIT's Magazine of Innovation, 108(3):48--54, 2005.Google ScholarGoogle Scholar
  20. T. Elbert, C. Pantev, C. Wienbruch, B. Rockstroh, and E. Taub. Increased Cortical Representation of the Fingers of the Left Hand in String Players. Science, 270:305--307, 1995.Google ScholarGoogle ScholarCross RefCross Ref
  21. Electro-cap International, Inc. Electro-Cap Price List: Electro-Cap. http://www.electro-cap.com, site accessed Aug. 27, 2005.Google ScholarGoogle Scholar
  22. S. Granger. Social Engineering Fundamentals, Part I: Hacker Tactics, 2001. http://www.securityfocus.com/infocus/1527, site accessed Mar. 22, 2005.Google ScholarGoogle Scholar
  23. ISI Web of Knowledge. Analysis: Brain Computer Interface Search Results, 2005.Google ScholarGoogle Scholar
  24. D. P. Jablon. Strong Password-Only Authenticated Key Exchange. ACM SIGCOMM Computer Communication Review, 26(6):5--26, 1996. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. A. K. Jain, P. W. Duin, and J. Mao. Statistical Pattern Recognition: A Review. IEEE Transactions on Pattern Analysis and Machine Intelligence, 22:4--37, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Wayne Jansen, Serban Gavrila, Vlad Korolev, Rick Ayers, and Ryan Swanstrom. Picture Password: A Visual Login Technique for Mobile Devices. National Institute of Standards and Technology Interagency Report (NISTIR) 7030, 2003. http://csrc.nist.gov/publications/nistir/nistir-7030.pdf, site accessed Mar. 22, 2004.Google ScholarGoogle Scholar
  27. I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin. The Design and Analysis of Graphical Passwords. 8th USENIX Security Symposium, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. A. Juels and M. Sudan. A Fuzzy Vault Scheme. In IEEE International Symposium on Information Theory, 2002.Google ScholarGoogle ScholarCross RefCross Ref
  29. M. Just and P. C. van Oorschot. Addressing the problem of undetected signature key compromise. In NDSS, 1999.Google ScholarGoogle Scholar
  30. I. Kerr. So Trendy, So Convienient - So Dangerous to our Privacy, July 31, 2004. Vancouver Sun, available at: http://anonequity.org/en3/July31-Van_Sun-Baja_Beach_Club.pdf.Google ScholarGoogle Scholar
  31. D. Klein. Foiling the Cracker: A Survey of, and Improvements to, Password Security. In The 2nd USENIX Security Workshop, pages 5--14, 1990.Google ScholarGoogle Scholar
  32. A. Kostov and M. Polak. Parallel Man-Machine Training in Development of ECG-Based Cursor Control. IEEE Transactions on Rehabilitation Engineering, 8:203--204, 2000.Google ScholarGoogle ScholarCross RefCross Ref
  33. LC Technologies Inc. Eyegaze Systems. http://www.eyegaze.com, site accessed Mar. 22, 2005.Google ScholarGoogle Scholar
  34. H. Lei and V. Govindaraju. A Comparative Study on the Consistency of Features in On-Line Signature Verification. Pattern Recognition Letters, 26:2483--2489, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact of Artificial "Gummy" Fingers on Fingerprint Systems. In Rudolf L. van Renesse, editor, SPIE Optical Security and Counterfeit Deterrence Techniques IV, volume 4677, pages 275--289, April 2002.Google ScholarGoogle ScholarCross RefCross Ref
  36. J. R. Millan. Adaptive Brain Interfaces. Communications of the ACM, 46(3):75--80, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. J. R. Millan, J. Mourino, M. Franze, F. Cincotti, M. Varsta, J. Heikkonen, and F. Babiloni. A Local Neural Classifier for the Recognition of EEG Patterns Associated to Mental Tasks. IEEE Transactions on Neural Networks, 13(3):678--686, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. F. Monrose, M. K. Reiter, Q. Li, and S. Wetzel. Cryptographic Key Generation From Voice. In IEEE Conference on Security and Privacy, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. F. Monrose, M. K. Reiter, and S. Wetzel. Password Hardening based on Keystroke Dynamics. International Journal of Information Security, 1(1):69--83, 2001.Google ScholarGoogle Scholar
  40. A. Narayanan and V. Shmatikov. Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff. In 12th ACM Conference on Computer and Communications Security (to appear), 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Neurosky. Neurosky Home Page. http://www.neurosky.com, site accessed Oct. 31, 2005.Google ScholarGoogle Scholar
  42. M. A. L. Nicolelis and J. K. Chapin. Controlling Robots with the Mind. Scientific American, 289(4):46--53, 2002.Google ScholarGoogle Scholar
  43. R. Palaniappan and K. V. R. Ravi. A New Method to Identify Individuals Using Signals from the Brain. In 4th International Conference on Information Communications and Signal Processing and 4th Pacific-Rim Conference on Multimedia (ICICS-PCM 2003), pages 1442--1445, 2003.Google ScholarGoogle ScholarCross RefCross Ref
  44. R. B. Paranjape, J. Mahovsky, L. Benedicenti, and Z. Koles. The Electroencephalogram as a Biometric. In The Canadian Conference on Electrical and Computer Engineering, pages 1363--1366, 2001.Google ScholarGoogle ScholarCross RefCross Ref
  45. A. Perrig and D. Song. Hash Visualization: a New Technique to Improve Real-World Security. In International Workshop on Cryptographic Techniques and E-Commerce, pages 131--138, 1999.Google ScholarGoogle Scholar
  46. B. Pinkas and T. Sander. Securing Passwords Against Dictionary Attacks. In 9th ACM Conference on Computer and Communications Security, pages 161--170. ACM Press, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. R. Plamondon and S. N. Srihari. On-Line and Off-Line Handwriting Recognition: A Comprehensive Survey. IEEE Transactions on Pattern Analysis and Machine Intelligence, 22(1):63--84, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Real User Corporation. About Passfaces. http://www.realuser.com, site accessed May 24, 2004.Google ScholarGoogle Scholar
  49. A. R. Roddy and J. D. Stosz. Fingerprint Features - Statistical Analysis and System Performance Estimates. Proceedings of the IEEE, 85(9):1390--1421, 1996.Google ScholarGoogle ScholarCross RefCross Ref
  50. P. Ross. Mind Readers. Scientific American, 289(3):74--77, 2003.Google ScholarGoogle Scholar
  51. V. Roth, K. Richter, and R. Freidinger. A PIN-Entry Method Resilient Against Shoulder Surfing. In Conference on Computer and Communications Security, pages 236--245, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Leonardo Sobrado and J.-C. Birget. Graphical Passwords. The Rutgers Scholar: An Electronic Bulletin of Undergraduate Research, Volume 4, 2002. http://rutgersscholar.rutgers.edu/volume04/sobrbirg/sobrbirg.htm, site accessed Mar. 22, 2004.Google ScholarGoogle Scholar
  53. E. Spafford. Crisis and Aftermath (The Internet Worm). Comm. of the ACM, 32(6):678--687, 1989. Google ScholarGoogle ScholarDigital LibraryDigital Library
  54. S. Stubblebine and P. C. van Oorschot. Addressing Online Dictionary Attacks with Login Histories and Humans-in-the-Loop. In Financial Cryptography'04. Springer-Verlag LNCS 3110, 2004.Google ScholarGoogle Scholar
  55. G. Tally, R. Thomas, and T. Van Vleck. Anti-Phishing: Best Practices for Institutions and Consumers, March 2004. http://www.networkassociates.com/us/_tier2/product/_media/mcafee/wp\_a%ntiphishing.pdf, site accessed Mar. 22, 2005.Google ScholarGoogle Scholar
  56. J. Thorpe and P. C. van Oorschot. Graphical Dictionaries and the Memorable Space of Graphical Passwords. In 13th USENIX Security Symposium, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  57. J. Thorpe and P. C. van Oorschot. Towards Secure Design Choices for Implementing Graphical Passwords. In 20th Annual Computer Security Applications Conference, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  58. T. M. Vaughan, W. J. Heetderks, L. J. Trejo, W. Z. Rymer, M. Weinrich, M. M. Moore, A. Kubler, B. H. Dobkin, N. Birbaumer, E. Donchin, E. W. Wolpaw, and J. R. Wolpaw. Brain-computer interface technology: A review of the Second International Meeting, 2003.Google ScholarGoogle Scholar
  59. K. Warwick, M. Gasson, B. Hutt, I. Goodhew, P. Kyberd, H. Schulzrinne, and X. Wu. Thought Communication and Control: a First Step Using Radiotelegraphy. IEEE Proc. Commun., 151 (3):185--189, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  60. S. Wiedenbeck, J. Waters, J. C. Birget, A. Brodskiy, and N. Memon. PassPoints: Design and Longitudinal Evaluation of a Graphical Password System. International J. of Human-Computer Studies (Special Issue on HCI Research in Privacy and Security), 63:102--127, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  61. G. M. Wilson and M. A. Sasse. From Doing to Being: Getting Closer to the User Experience. Interacting with Computers, 16:697--705, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  62. J. R. Wolpaw, N. Birbaumer, D. J. McFarland, G. Pfurtscheller, and T. M. Vaughan. Brain-Computer Interfaces For Communication and Control. Clinical Neurophysiology, 113:767--791, 2002.Google ScholarGoogle Scholar
  63. J. Yan. A Note on Proactive Password Checking. ACM New Security Paradigms Workshop, New Mexico, USA, 2001. http://citeseer.nj.nec.com/yan01note.html, site accessed Jan. 12, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  64. Jianxin Yan, Alan Blackwell, Ross Anderson, and Alasdair Grant. The Memorability and Security of Passwords -- Some Empirical Results. Technical Report No. 500, Computer Laboratory, University of Cambridge, 2000. http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf, site accessed September 6, 2004.Google ScholarGoogle Scholar
  65. L. Zhuang, F. Zhou, and J. D. Tygar. Keyboard Acoustic Emanations Revisited. In 12th ACM Conference on Computer and Communications Security (to appear), 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

(auto-classified)
  1. Pass-thoughts: authenticating with our minds

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            Get this Publication

            • Published in

              cover image ACM Other conferences
              NSPW '05: Proceedings of the 2005 workshop on New security paradigms
              September 2005
              133 pages
              ISBN:1595933174
              DOI:10.1145/1146269

              Copyright © 2005 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 20 September 2005

              Permissions

              Request permissions about this article.

              Request Permissions

              Author Tags

              Qualifiers

              • Article

              Acceptance Rates

              Overall Acceptance Rate 40 of 106 submissions, 38%

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            View Table of Contents
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!