A Security Brainwave

x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.

In 2016, technology news site ZDNet reported that there had been more than 3,000 public data breaches, resulting in around 2.2bn records being stolen. This has led many experts to conclude that current approaches to data protection are out-dated and should be replaced by new methods of authentication. 

A study of IT decision-makers, carried out in the US last year, revealed that 69% of organisations said they were likely to do away with passwords within the next five years. Craig Lund, founder of security solutions provider SecureAuth – which commissioned the study – said: “On the heels of recent mega breaches such as Yahoo!, in which usernames, passwords and security-question responses were compromised, there’s a growing movement from individuals and businesses for an authentication overhaul. Single-factor, password-based authentication – and even many traditional two-factor approaches – are no longer enough in today’s increasingly digital world.”

Last year, UK bank Barclays announced it was introducing voice recognition as a form of secure ID, eliminating the need for security questions and passwords. Voice recognition works by analysing the way people say words – including the sounds of their mouth and tongue – and creating a profile of 100 unique characteristics that are almost impossible to recreate. 

Several other banks and building societies, including First Direct and Santander, are introducing similar technology, while HSBC is offering voice and touch ID (fingerprint scanners for its smartphone app). Challenger bank Atom Bank allows customers to log on via a facial-recognition system. 

These techniques are clearly advanced, but two more recent developments push the boundaries even further: brainwave and gait analysis. 

Brainwaves

For some time, scientists have been working on the idea of using brainwaves as a form of identification. A group of psychologists at Binghamton University in New York State now claim to have developed a system that can be used to identify people by their ‘brainprint’, with 100% accuracy. 

In an initial experiment, the team recorded the brain activity of 32 people as they read different words, then attempted to identify the individuals from that data. This was done with levels of accuracy of between 82% and 97%. 

The researchers subsequently expanded the experiment, switching from words to images and growing the pool of participants to 50. These people were fitted with an electroencephalogram (EEG) headset and shown 500 pictures of objects intended to elicit unique responses, including a slice of pizza, Hollywood actress Anne Hathaway, and the word ‘conundrum’. 

The brain’s response to each picture was recorded and the participants were then anonymised and shown the pictures again. Based on the brain’s response, the computer had to identify who it was, and had a 100% success rate. 

One of the benefits of brainwave authentication is that it can verify a user continuously. A typical password or fingerprint-based login system requires just one authentication, so – once you’ve logged in – someone else could feasibly have access if you leave your device unattended without logging out. But, with brainwaves, the system could be reading and verifying the user’s brainwaves constantly. There are drawbacks with this verification system, however. 

A recent experiment revealed that getting drunk can interfere with brainwaves; accuracy of brainwave authentication fell to as low as 33% in some inebriated users. Other external factors – such as recent exercise, hunger, stress and fatigue – can also reduce reliability. 

Secure walking

Meanwhile, a group of scientists in Finland have been trialling the use of walking style as a way of securely pairing digital devices. 

Stephan Sigg and his team at Aalto University, in Helsinki, found that it was possible to create ‘gait fingerprints’ by analysing people’s walking styles using accelerometers and gyroscopes – most modern mobile devices contain both – and a technique called fuzzy cryptography. This is a way of obtaining identical keys from similar patterns. 

The theory is that, if two devices pick up a similar enough gait ‘fingerprint’, this is an indication that they are being worn by the same person. As a result, they can automatically connect to each other without the user needing to enter a password or unlock their smartphone. 

The researchers found that sensors on different parts of the same body generated fingerprints that were 82% similar, while fingerprints from different bodies were just 50% similar. This means the technique is less secure than fingerprint or iris scanning (see boxout, Fact File), but about as secure as voice recognition.