Inexpensive Brainwave Authentication:New Techniques and Insights on User Acceptance
Centerfor
Applied Security
Technology
Patricia Arias-Cabarcos, Thilo Habrich, Karen Becker, Christian Becker, Thorsten Strufe
- Offline/Online Cracking- Phishing, social engineering, spyware, etc.
- memorize, type, follow complex policies- users can’t cope well with passwords 1
1 Adams, Anne, and Martina Angela Sasse. "Users are not the enemy." Communications of the ACM 42.12 (1999): 40-46.
Passwords are ubiquitous despite…
Security ProblemsPoor Usability
Bio-metrics as alternative
Identity = Something You Are• Physiological or Behavioral
• Usability advantage!
Propelled by:• Sensor advances, miniaturization
• Computing power
• Artificial Intelligence
Why Brainwave Authentication?
4
• Brainwaves have distinctive features
• Advantages: not observable, intrinsic liveness detection
• Can be implicitly sensed!
+Accurate
-Expensive
-Cumbersome
-Less Accurate +Cheap
+Easier to use
Most Researchso far
Medical-grade EEG reader Consumer-grade EEG reader
Why Brainwave Authentication?
5
Brainwaves have distinctive features
Advantages: not observable, revocable, intrinsic liveness detection
Can be implicitly sensed
+Accurate
-Expensive
-Cumbersome
Most Researchso far
Medical-grade EEG reader
RQ-1| Is it possible to achieve accurate authentication with consumer devices?
RQ-2| Would it be perceived as usable by users?
-Less Accurate +Cheap
+Easier to use
Methodology—System Design
Methodology—Data acquisition | Usability Survey
54v
Lab Experiment
• N = 52 subjects
59% males
68% < 31 years old
• 5 Authentication Tasks
up to 10x larger than previous work
3 never used for authentication
beforeVisual/Textual Stimuli
False Acceptance Rates (FAR)False Rejection Rates (FRR)
Performance evaluation metrics:
Methodology—Data acquisition | Usability Survey
ProblemsImprovements
EnjoyabilityAttention
Repeatability
Quantitative
Qualitative
Inspired by:
Chuang et al. “I think therefore I am: usability and security of authentication using brainwaves ." Lecture Notes in Computer Science, 7862 LNCS:1–16, 2013.
Payne, J. et al. "Responsibility and tangible security: Towards a theory of user acceptance of security tokens." arXiv preprint arXiv:1605.03478 (2016).
9
Methodology—Authentication Tasks
Standard Oddball/TargetExample Task: User Selected Image
P300
© S. J. Luck
• Oddball Paradigm• Infrequent image within a series
Other Tasks: Semantic processing of images, words, sentences
Selected Image
Performance Results
Familiar/Unfamiliar Faces
Car Track Road Price Highway
Apple Biology Moon Circle Kitchen
Hunger Opera Mushroom
“I take my coffee
with cream and dog”
Selected Image Assigned Image Words
Incongruent Sentences
Performance Results RQ-1| Is it possible to achieve accurate authentication with consumer devices?
• Average Equal Error Rate = 14.5% Improves related work with consumer devices
EER=22-26% (N=10-30 participants) Comparable to results with medical devices
• Needs improvement for practical application• FAR = 1.8%, FRR=46%Lower error rates expected with personalized stimuli
Quantitative— Enjoyability, Attention, Repeatability
- Faces stimuli beat all other tasks
- Visual stimuli preferred to textual stimuli
RQ-2| Would it be perceived as usable by users?
User Study Results
Qualitative—Problems/Improvements
- Simpler headsets desired
- Authentication must be quick
- Stability of brainwaves
- Privacy concerns
Quantitative— Enjoyability, Attention, Repeatability
- Faces stimuli beat all other tasks
- Visual stimuli preferred to textual stimuli
RQ-2| Would it be perceived as usable by users?
User Study Results
- “Mind Reading”- Manipulation
“Changing of individual opinion due to presented stimuli, e.g., in
particular politicians".
“Keep the authentication process as short as possible”
Takeaways
Thanks!
• Comprehensive analysis of stimuli-response brain authentication- Feasible with consumer EEG devices- User insights for future prototypes
• Performance, robustness & usability in the wild• Multimodal implicit authentication• Privacy
patriAriasC
Future Directions
• Applicability: Hands-free scenarios, VR
• Experiment Material: https://git.scc.kit.edu/kr2925/brainwave-authentication
