Use your eyes, voice -- and thoughts -- to replace passwords
From CNET Magazine: Password protection is so last century. Take a look at the future of security.
- 2022 Eddie Award for a single article in consumer technology
I'm sitting in an office at the University of California, Berkeley with an electrode strapped to my head. A black headband holds a connector to my forehead and presses another to my earlobe, beaming my brain's electric signals to a nearby laptop.
It's going to read my mind.
"For this one, you're going to sing a song in your head," says Max Curran, a graduate student at UC Berkeley's School of Information. I mentally run through the first 12 seconds of "The Merry Old Land of Oz," which I sang in a middle school production of "The Wizard of Oz."
I hear the song in words and notes, but the computer sees a long string of numbers.
For three years, Professor John Chuang, co-director of the university's BioSENSE Lab, and his graduate students have been working to identify people through their brainwaves. The result is called a passthought, and it could eventually become the ultimate personal ID protector.
An electrode strapped to the author's head beams her brain's electric signals to a nearby laptop, generating what could be the next big thing in identity protection.
Though it will take some time before passthoughts make their way out of the research lab, Chuang's work does point to the more immediate future when your computer, phone and tablet will know you by the contours of your body. That includes the pores in your skin, the sound of your voice, the folds of your ear and the symmetry of your face. If this sounds a little intimate, it's meant to be. How else can you really prove you're you?
These biometric technologies are getting pushed into the mainstream after a series of high-profile cyberhacks shone a spotlight on password weaknesses. Remember "The Fappening" in 2014? That's when hacker Ryan Collins guessed the passwords of celebrities like Jennifer Lawrence and Kaley Cuoco, and used those passwords to grab nude photos from their Apple iCloud or Google accounts.
That's the problem with passwords -- and we have only ourselves to blame. Security software company Kaspersky Lab, for example, found that nearly a quarter of the consumers it surveyed used just five passwords for almost 20 accounts. For hackers, this is the gift that keeps on giving, since the weak and recycled passwords they steal will unlock even more websites they can loot.
Relying solely on a username and password? "That's not good enough anymore," says Jon Gelsey, CEO of Auth0, which makes software that verifies users' IDs.
Eye know you
The goal of all biometrics is to spot what's unique about you. Today, that means using tech to recognize the distinctive characteristics of your eyes, fingers and voice.
You already know fingerprint readers, which are standard on many phones and tablets. But while current readers offer better security than passwords alone, they aren't foolproof. Skilled hackers have been known to replicate fingerprints using high-resolution photos.
Fortunately, readers are getting more sophisticated. Now higher-definition imaging will reveal the pores in the skin, which appear as a series of dots between the finger's ridges and grooves. That gives the image a sense of depth that's harder -- though not impossible -- to forge.
Eye scanning is reaching the mainstream too. EyeVerify, for instance, works with your phone's camera to examine the pattern of blood vessels in the whites of your eyes. Several banks and credit unions, including Republic Bank in Kentucky and Mountain America Credit Union in Utah, have added EyeVerify's technology to their mobile-banking apps.
And Wells Fargo is adding EyeVerify as one of several biometric options for a select group of corporate customers who frequently wire large sums of money. For security reasons, the transaction currently forces users through a series of cumbersome log-in steps, including a continually changing PIN.
Biometrics will make logging in "more usable and more secure," says Secil Watson, head of the bank's wholesale Internet solutions. "It will be a better experience overall."
Earlier this year, MasterCard announced a new mobile app that lets customers identify themselves with selfies anytime they buy something online. And e-commerce giant Amazon.com filed for a patent that would let customers authorize purchases with a photo of themselves.
No biometric technology is 100 percent foolproof. One challenge they all face: telling the difference between real life and fakes. Today's fingerprint readers and even eye scanners can be tricked by high-res photos.
Even your passthought could be reproduced if someone stole the math formula that represents your thought. That's a scenario that feels like something only high-value targets, such as heads of state, would have to worry about.
I think, therefore I am
Back at UC Berkeley, Curran unclamps the electrodes from my head. One thing I learn: Only you think your thoughts the way you do. That might sound like philosophy, but it's actually hard math.
Even if you imagine stepping on stage dressed as a resident of the Emerald City, your brain's folds are physically different from mine and will create a different electric signal. That's why a computer will know you're not me.
See more stories from CNET Magazine.
"Attackers who learn your password can use it to log in," Chuang tells me.
But not with passthoughts, "because each brain is different."
After my visit to Berkeley, I text my mom to tell her about using brainwaves to log on to my accounts. "So you think a word into your robo hat and it opens your computer?" she texts back.
That's the idea. It wouldn't work for the Scarecrow, but it could work for you and me.
Laura Hautala (@lhautala) is CNET's staff reporter covering cybersecurity and privacy. Her work has appeared in the Los Angeles Times and Politico. She is very choosy about baked goods.
This story appears in the summer 2016 edition of CNET Magazine. For other magazine stories, click here.