Picture-Perfect Passwords

To overcome password fatigue, many smartphones include fingerprint scans, facial recognition and other biometric systems. The trouble with these easy-to-use tools is that once compromised—yes, they can be hacked—you can’t reset them.

“You can’t grow a new fingerprint or iris if that information is divulged,” says Wenyao Xu, assistant professor of computer science and engineering in the University at Buffalo School of Engineering and Applied Sciences.

“That’s why we’re developing a new type of password, one that measures your brainwaves in response to a series of pictures. Like a password, it’s easy to reset, and like a biometric, it’s easy to use.”

For their system, Xu and his collaborators reconfigured a virtual reality headset to measure the brain’s unique patterns of electrical activity. Then, over multiple sessions, 179 test subjects were shown specific image types—an animal, a celebrity and an encouraging phrase—in rapid succession to stimulate different areas of the brain.

The resulting brainwaves worked as a password that was about 95 percent effective.

Xu was motivated to create a truly cancelable biometric password after hackers stole the fingerprint files of 5.6 million workers from the U.S. Office of Personnel Management in 2015.

The “brain password,” which would require users to wear a headset, could have implications in banking, law enforcement, airport security and other areas.

While wearing a headset may not appeal to common internet users, companies with deep concerns about cybersecurity may be early adopters of the technology, says Xu, who plans to continue work on the system to make it more reliable and appealing to users.