By Andrew Olin
Recently there has been interest in the possibility of using an EEG to authenticate a user into a system. EEG authentication has many benefits over other forms of biometric authentication. Other forms of biometric authentication are vulnerable to attack, whether it is lifting someone’s fingerprint from something they touched or forcing them to provide a finger or retina to a scan. Further, once an individual’s fingerprint or retinal data are compromised, they are permanently compromised as these cannot be changed. However, an EEG sample can be updated in infinite ways, because the task to authenticate can be changed an infinite number of times. There are many other benefits to EEG authentication as well, for example a user could not give an unwilling sample. A fingerprint could be stolen by force or while sleeping, but an EEG sample requires the user to be alert, willing, and in the right state of mind. The only downsides to EEG authentication would be the expensive equipment and time to configure to a user, collecting samples and building models specific to every user. Because of these limitations, it seems only realistic in highly secured systems.
In addition to its benefits for standard authentication, there may also be benefits which are unique to the application of EEG. With this technology, it is possible to create a “continuous” authentication which is less impactful on the user than being requested to regularly re-enter a password or fingerprint, which still has the same vulnerabilities as stated before.
A variety of studies have been completed on building authentication models with EEG signals. There are three promising methods which could be used to authenticate a user very rapidly. The first flashes images at a user monitoring their response, the second has a user imagine doing some kind of action (moving their arm, blinking, etc.), the third actually involves a user physically moving during the sample. We will examine all three methods.
The first method we will examine is the method which uses rapid serial visual presentation (RSVP) to stimulate a user’s brain while collecting samples. While these images are flashing, the EEG collects samples, looking for Event-Related Potential (ERP) signals. ERP signals are signals which the brain produces as a subconscious reaction of recognition, in this case recognizing pre-selected images, making them difficult to fake while still having minimal impact on the user. These images could flash in less than a second, requiring no interaction or effort from the user. The study that was completed analyzing this method was able to achieve a True Acceptance Rate (TAR) of 90% in 3 seconds, and 99% in 7 seconds. Using this method as a second factor of authentication done continuously, the accepted percentage could be dropped lower. Limiting the time to 1 second would likely achieve a True Acceptance Rate around 75%. There are several disadvantages to this method as well, the first of which being the need to have the user’s focus during the images flashing. If a user was not actively using the application, they may miss the images flashing quickly and then fail to authenticate. The other significant issue with this method is the low accuracy of this method. Combining these factors, a user would need to be granted several attempts to authenticate before there access is revoked, to avoid kicking out authorized users for false negatives.
The second method mentioned had the user imagine completing a task, such as moving a limb or closing an eye. The benefit of authentication with this method is it makes it more difficult to force a user to authenticate by force, because they must focus and provide their own thought. Additionally, the user has an additional secret to authenticate with, which is what task they have imagined, further protecting them. This method has several disadvantages though, the main being that it forces the user to completely change their focus from the task they were working on, to focusing on their task. The other disadvantage to this type of authentication is the significant amount of setup and customization for each user. Finding which channels on the EEG provide reliable data for the motion the task that the user has selected, and collecting enough samples to build the model, because there is more variation in this type of task. A study using this method of authentication was able to achieve a TAR or 91% with a small sample set. This likely could have been improved further with a larger group to build a more accurate model .
The third method is one which uses actual motion by the user in order to authenticate them. The main benefit to an authentication system like this is that it takes less thinking and less prone to error, such as the user not focusing enough on their task. This motion could be done in two different ways, any motion that the user selects, such as moving their arm a certain way or kicking their leg, or it could be motion controlled by the application, such as having the user move the mouse to the corner of the screen. There are benefits to both, however having a user move the mouse in a controlled manner seems like the most reliable way to get users to repeat movement. This method shares many of the disadvantages of the last method, being prone to bad samples and being difficult to tune to each user but shares some of the benefits of the first method. Having a screen pop up quickly that a user must click to close takes less focus and could be made less intrusive than forcing a user to stop and focus on their selected motion .
Of the three methods examined, the third appears the most applicable because it would be the most reliable and easiest to implement. Building a simple web application, or implementing it into the application itself, which prompts the user to move their mouse in specific ways would be easy to implement and provide a consistent way for users to provide input. The most basic form of input would be a web application which prompts in one corner for the user to begin authentication, then once clicked, prompts the user to click another button, collecting a sample from first click to second. Let’s say that Wikipedia is our site which needs to be secured. After a given amount of time, we prevent the user from scrolling any further until they reauthenticate. This allows them to get to a good stopping point. We prompt the start with a button in the bottom right corner, this button starts our EEG collection, and places another button on the top right corner for the user to select. You can see our button in the bottom left corner. This format will provide a reliable user movement and allow the EEG sample to be collected quickly without significant user impact, but still allow the site to determine that the authenticated user is the one active in the application.
Begin Reauthentication button
Submit Button in opposite corner
 Y. Chen, A. D. Atnafu, I. Schlattner, W. T. Weldtsadik, M.-C. Roh, H. J. Kim, S.-W. Lee, B. Blankertz, and S. Fazli, “A High-Security EEG-Based Login System with RSVP Stimuli and Dry Electrodes,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 12, pp. 2635–2647, 2016.
 Z. A. A. Alyasseri, A. T. Khader, M. A. Al-Betar, J. P. Papa, and O. A. Alomari, “EEG-based Person Authentication Using Multi-objective Flower Pollination Algorithm,” 2018 IEEE Congress on Evolutionary Computation (CEC), 2018.
 D. Rodrigues, G. F. Silva, J. P. Papa, A. N. Marana, and X.-S. Yang, “EEG-based person identification through Binary Flower Pollination Algorithm,” Expert Systems with Applications, vol. 62, pp. 81–90, 2016.