The Passing of the Password

The days of the password may be numbered. A probable replacement? Biometric authentication.

Passwords have the rare distinction of being both too simple and too complex. Many average people struggle to create and remember high-quality passwords, but security experts remain concerned that even the best passwords are still not good enough to keep our accounts secure. As companies scramble to find the best password replacement, many are looking to the human body for help.  If the trend continues, your next password may be tattooed on your skin, hidden in your brainwaves, or even sitting in your stomach.

Each password is used about 3.9 times. You’re only supposed to use each password once, so this is far from ideal

“Web services, like Gmail and Twitter and LinkedIn, they’re all trying to push two-factor authentication for their services because they worry about people hacking in, they worry about people not choosing strong passwords,” says John Chuang, a professor at the University of California, Berkeley School of Information.

According to researchers at Microsoft, the average web user has 25 password-protected accounts but only 6.5 different passwords. That means each password is used about 3.9 times. You’re only supposed to use each password once, so this is far from ideal. One of the favored solutions to our password failings is two-factor authentication. When someone uses an ATM, they have to present a physical item (their ATM card) along with something they’ve memorized (their PIN). That’s two-factor authentication.

Different companies are approaching two-factor authentication in various ways. Some use hardware that you plug into your device, like Yubico. Others, like Google, LinkedIn, and Twitter will send a code to your phone when you sign in (this acts as the physical factor). The more futuristic approach gaining interest lately involves using our own bodies as part of our authentication.


Followers of the biometric authentication trend have had their interest piqued by Motorola’s presentation at the recent D11 conference. Regina Dugan, former DARPA director and the Senior Vice President of Advanced Technology and Projects at Motorola told the audience about potential biological password replacements. One of her examples was MC10’s biostamp, a kind of temporary tattoo made of stretchable circuits that is being developed to communicate directly with wireless devices.

The brainwaves that were recorded while they performed their mental tasks served as their “pass-thought”

Dugan also mentioned the possibility of an authentication pill; an ingestible sensor produced by Proteus Digital Health that is the size of a pencil tip, made of magnesium, copper, and cellulose, and is powered by the electrolytes in stomach acid. Once activated, the pill creates a small electrical signal that can be sensed from outside the skin. Paired with an electronic skin patch as part of the Proteus Digital Health Feedback System, the sensor’s signal can be recorded and sent to digital devices. While Proteus Digital Health says it’s not working with Motorola at present, their Feedback System—currently used to remotely monitor patient’s medication compliance and physical state—is already available by prescription in the U.K. and will likely be available in the U.S. by the end of this year.

Berkeley professor Chuang is currently studying the use of electroencephalograms (EEG)—brainwave measurements taken along the scalp—as a means of verification. “The idea is to make use of our brainwave signals to authenticate users, leveraging the facts that each one of us has some unique patterns in our brainwave signals,” he says. The way the technology works is by having the user perform a specific mental task while wearing a headset with an EEG sensor. This automatically qualifies as two-factor authentication because it requires the user’s brain (physical) and his/her specially chosen task (memorized).

For Chuang’s study, they were specifically interested in the kinds of tasks people might use as authentication. Examples of these tasks included singing a song in their head, imagining a repetitive motion from a sport of their choosing, or focusing on their breathing. The brainwaves that were recorded while they performed their mental tasks served as their “pass-thought.”

… possibly even controlling the computer with your thoughts

Overall, the results were encouraging. Researchers could easily differentiate between the brainwaves of two different people performing the same task and the same person performing different tasks. They reported an error rate of less than 1 percent. Another upside to this technology when compared with other biometric verification technologies (i.e. fingerprint and retina scanning and facial and voice recognition) is that it can be relatively cheap while remaining high-quality. Chuang’s research was unique in that it employed the use of consumer-grade EEG sensors. While sensors that are usually used in studies cost thousands of dollars, the EEG sensor that Chuang used sells for $199 and is paired with a Bluetooth headset. A similar version can be obtained for under $100.

The real downside of this technology so far is setting it up. “If this were to become usable, it has to be streamlined,” says Chuang. In the same way that websites often have you input your password multiple times to verify a match, the EEG sensors need multiple readings of a person’s brainwaves to establish the pass-thought. Chuang had each of his research subjects do their mental task for 10 seconds, five different times. All together, the setup process took about 30 to 45 minutes. Logging in afterward took about 10 seconds. Follow-up research will be targeted at hastening both processes.

Another potential roadblock is the consumer’s willingness to wear the sensor. But with the launch of mainstream wearable computers like Google Glass impending, Chuang says that the sensors will likely become a go-to for users. The actual EEG sensors could simply be built into the structure of the wearable computer and used for purposes other than authentication—possibly even controlling the computer with your thoughts.

With all of the excitement about consumer-ready biometric authentication, the password may very soon be a thing of the past. In the meantime, keep up those long, complicated, account-specific passwords and consider practicing your mental rendition of “The Safety Dance.”