In September of 2015, it was reported that hackers had stolen the fingerprint records of 5.6 million U.S. federal employees from the Office of Personnel Management (OPM). This was a severe security breach, and it is an even bigger problem because those fingerprints are now permanently compromised and the users cannot generate new fingerprints. This breach demonstrates two challenging facts about the current cybersecurity landscape. First, biometric credentials are vulnerable to compromise. And, second, biometrics that cannot be replaced if stolen are even more vulnerable to theft. This research will investigate a new type of biometric that avoids both of these problems. In particular, the research will evaluate the strengths and weaknesses of brain biometrics. Brain biometrics are more difficult to steal than fingerprints, since current technology for collecting brain biometrics is impossible to use without a person's knowledge and consent. Brain biometrics, importantly, can also be cancelled if stolen. This is because there are vast networks of the brain that generate unique activity, meaning that if a person's brainprint is stolen, they can generate a new one by tapping into a different brain network. This investigation holds the potential to transform existing authentication systems into more secure and attack-resistant brain biometric solutions; critical for high-security applications.
Brain biometrics have recently been shown to be 100% accurate in identifying people, in a pool of 50 users and across a period of up to a year. This research project will systematically evaluate the potential vulnerabilities of brainprint biometrics, with the goals of 1) demonstrating the resistance and robustness of brainprints to the most likely attacks and 2) developing a comprehensive protection plan addressed at the most vulnerable aspects of this method. In particular, the interdisciplinary team plans to investigate psychological and computational attacks. Psychological attacks consist of attempting to force a user to provide their brainprints under duress, or attempting to impersonate a target brainprint through biofeedback entrainment process. Computational attacks consist of attempting to circumvent brainprint authentication system through presenting a counterfeit or stolen brainprint, with varying levels of obfuscation, such as the addition of noise, and attacking the stimuli database. This project will examine potential vulnerabilities in brain biometrics at an unprecedented level of detail, and convert the resulting knowledge into recommendations for implementation of brain biometrics to guard an increasingly vulnerable cyberspace.