Most security pundits say passwords have to go. Mat Honan, senior writer at WIRED, would agree wholeheartedly. “Hackers destroyed my entire digital life in the span of an hour,” writes Honan in this WIRED post. He adds, “No matter how complex, no matter how unique, your passwords can no longer protect you.”

Honan would not get much argument, but what’s to replace the ubiquitous password? A quick search online produces a dizzying number of options. Products using some form of biometric technology are the choice du jour, and the main reason why is so users do not have to remember sufficiently long and complex passwords. The existing biometric scanners are single-factor authentication, and experts question if using this methodology is secure enough to supplant multi-factor authentication.

So why not use biometrics and multi-factor authentication?

Multi-factor authentication is not the simplest or the cheapest thing to pull off, which is why more than a few authentication systems advertising as multi-factor authentication aren’t. Another issue is that multi-factor authentication is not user-friendly. Before explaining why, it would behoove us to define multi-factor authentication.

Officially, to be truly multi-factor, the person trying to be authenticated must present validation factors from at least two of the following categories:

  • Knowledge: Things only the user knows such as passwords
  • Possession: Things only the user has such as ATM cards
  • Inherence: Things only the user is such as biometrics

Simply put, the more factors, the more difficult it becomes to gain access using fake information. “The number and independency of factors is important, since more independent factors imply higher probabilities that the bearer of the identity evidence indeed holds that identity in another realm,” explains Wikipedia.

Considering users are not that crazy about single-factor authentication, adding more factors only increases their angst. For instance, a popular two-factor authentication requires a password plus using a time-stamp token such as RSA’s SecurID.

What if…

What if there’s biometric technology that’s inherently multi-factor? Problem solved, right? There is research that does exactly that.

I recently talked to John Chuang, professor at University of California-Berkeley’s I School. Building on previous research, Chuang, along with Thomas Maillart, University of California, Berkeley, and Benjamin Johnson, Carnegie Mellon University, figured out how to authenticate users to their computer systems using brainwave signals — passthoughts — collected by consumer-grade wireless headsets and wearable devices containing electroencephalography (EEG) sensors. “This possibility is especially interesting because brain-wave-based authentication naturally meets the criteria for two-factor authentication,” mentions the researchers’ paper My Thoughts Are Not Your Thoughts (PDF).

“Passthoughts can be considered two-factor authentication since they include both the knowledge factor (your chosen mental thought, which is a secret known only to you) and the inherence factor (the EEG signals coming from your brain),” explains Chuang.

“Furthermore, it provides one-step two-factor authentication, since both factors can be presented at the same time. This is particularly important from a usability perspective, as many users balk at the extra effort required to present a second authentication factor.”

Chuang added that using EEG signals for authentication was possible 10 years ago, but the approach required medical-grade EEG devices that were cumbersome and expensive. That changed three years ago when consumer-grade EEG devices costing significantly less, like the Muse headband shown to the left, became available.

The first tests using consumer EEG devices didn’t go well — the system worked, but accuracy was terrible. Chuang said the team altered the procedure and back-end analytics, which resulted in accuracy nearly matching that achieved using medical-grade devices. The use of EEG signals for authentication is nearly 100% accurate. The researchers’ paper adds:

  • The authentication system is relatively robust against impersonation attacks.
  • The extent to which passthought knowledge aids an attacker is strongly dominated by the extent to which not having exactly the defender’s brain hinders the attacker.

Good idea?

The researchers concluded that EEG-signal readers are a viable option, and that’s after working hard to find fault with the technology. “Our goal was to measure the robustness of brainwave signal authentication systems against direct impersonation attacks,” mentions Chuang. “Building on the authentication system, we simulated several thousand impersonation attacks and categorized the results to examine how knowledge conditions about the defender’s secret thoughts might impact the attacker’s success rates.”

The success rate of the impersonation attacks, state the researchers, is low. They also feel authentication using EEG signals does not exhibit the same weaknesses of other biometric authentication methods such as fingerprint and iris scanners. “Our thoughts, in contrast, seem secure because we control our own minds and imaginations,” mentions the paper. “My thoughts are not your thoughts.”

As to when this might be available, the researchers are still working on the system. However, there are more and more devices coming to market that include EEG sensors. It doesn’t use EEG signals, but Nymi is similar in that it uses the user’s heart signature to unlock devices. But, one must realize Nymi is only single factor.

Disclaimer: TechRepublic, ZDNet, and CNET are CBS Interactive properties.