Securing Passwords Beyond Human Capabilities with a Wearable Neuro-Device

The election of strong passwords is a challenging task for humans that could undermine the secure online subscription to services in mobile applications. Composition rules and dictionaries help to choose stronger passwords, although at the cost of the easiness to memorize them. When high-performance computers are not available, such as in mobile scenarios, the problem is even worse because mobile devices typically lack good enough entropy sources. Then, the goal is to obtain strong passwords with the best efficiency in terms of level of entropy per character unit. In this study, we propose the use neuro-activity as source of entropy for the efficient generation of strong passwords. In our experiment we used the NIST test suite to compare binary random sequences extracted from neuro-activity by means of a mobile brain-computer interface with (i) strong passwords manually generated with restrictions based on dictionary and composition rules and (ii) passwords generated automatically by a mathematical software running on a work station. The results showed that random sequences based on neuro-activity were much more suitable for the generation of strong passwords than those generated by humans and were as strong as those generated by a computer. Also, the rate at which random bits were generated by neuro-activity (4 Kbps) was much faster than the passwords manually generated. Thus, just a very small fraction of the time and cognitive workload caused to manually generate a password has enough entropy for the generation of stronger, shorter and easier to remember passwords. We conclude that in either mobile scenarios or when good enough entropy sources are not available the use of neuro-activity is an efficient option for the generation of strong passwords.

[1]  Pablo Padilla,et al.  Human Neuro-Activity for Securing Body Area Networks: Application of Brain-Computer Interfaces to People-Centric Internet of Things , 2017, IEEE Communications Magazine.

[2]  Donald E. Eastlake,et al.  Randomness Requirements for Security , 2005, RFC.

[3]  Yu-Chee Tseng,et al.  Pervasive and Mobile Computing ( ) – Pervasive and Mobile Computing Review from Wireless Sensor Networks towards Cyber Physical Systems , 2022 .

[4]  Gengfa Fang,et al.  Multiple ECG Fiducial Points-Based Random Binary Sequence Generation for Securing Wireless Body Area Networks , 2017, IEEE Journal of Biomedical and Health Informatics.

[5]  Albert Levi,et al.  Deriving cryptographic keys from physiological signals , 2017, Pervasive Mob. Comput..

[6]  Miguel Angel Lopez-Gordo,et al.  Brain-Computer Interface as Networking Entity in Body Area Networks , 2015, WWIC.

[7]  Chang Liu,et al.  Sensor-Based Random Number Generator Seeding , 2015, IEEE Access.

[8]  Gang Zhou,et al.  Toward Sensor-Based Random Number Generation for Mobile and IoT Devices , 2016, IEEE Internet of Things Journal.

[9]  Brenda K. Wiederhold,et al.  ECG to identify individuals , 2005, Pattern Recognit..

[10]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[11]  Sheetal Kalra,et al.  Secure authentication scheme for IoT and cloud servers , 2015, Pervasive Mob. Comput..

[12]  Athanasios V. Vasilakos,et al.  ECG-Cryptography and Authentication in Body Area Networks , 2012, IEEE Transactions on Information Technology in Biomedicine.

[13]  H. Jasper Report of the committee on methods of clinical examination in electroencephalography , 1958 .

[14]  Ayan Banerjee,et al.  PSKA: Usable and Secure Key Agreement Scheme for Body Area Networks , 2010, IEEE Transactions on Information Technology in Biomedicine.

[15]  Chao Shen,et al.  User practice in password security: An empirical study of real-life passwords in the wild , 2016, Comput. Secur..

[16]  Carmen C. Y. Poon,et al.  A novel biometrics method to secure wireless body area sensor networks for telemedicine and m-health , 2006, IEEE Communications Magazine.

[17]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[18]  Chin-Chen Chang,et al.  Notes on "Secure authentication scheme for IoT and cloud servers" , 2017, Pervasive Mob. Comput..