The timing was right, they say, because while EEG data was in the past captured with invasive probes, this data can now be collected using "consumer-grade non-invasive dry-contact sensors built into audio headsets and other consumer electronics."
"We briefed subjects on the objective of the study, fitted them with a Neurosky MindSet headset, and provided instructions for completing each of seven tasks. As the subjects performed each task we monitored and recorded their brainwave signals," the researchers explained in their report.
The tasks that the fifteen subjects were instructed to do were to focus on breathing, imagine moving a finger up and down in sync with breathing, imagine that they are singing a song, count (in their mind) the number of boxes in a grid that were of a specific color, imagine moving their body to perform a motion related to a sport, choosing and thinking about a pass-though (a concrete mental though), and so on.
After repeating the seven tasks five times per session, the researchers had recorded 1050 brainwave data samples after only two sessions. The data was then repeatedly compressed in order to end up with a "one-dimensional column vector with one entry for each measured frequency" against which later authentication attempts would be compared.
The testing led them to conclude that using brainwaves for authentication is both feasible and extremely accurate, but that tracing a brainwave signal back to a specific person would be much too difficult.
By asking questions about the enjoyability of the specific tasks and by taking stock of the difficulties that the subjects had remembering some of the things they chose to think about during the tests, the researchers also discovered that users tend to better remember secrets that they come up with themselves (song, sport, pass-thought) instead of secrets they are forced to select from a menu.
"In comparing the results of the usability analysis with the results of the authentication testing, we observe that there is no need to sacrifice usability for accuracy. It is possible to achieve accurate authentication with easy and enjoyable tasks," they pointed out.
Still, there are many questions still to be answered: can an attacker fool the authentication system by performing the same customized task the user has chosen for himself, is the solution scalable, and so on, but they believe that there could be a future for using EEG signals for all kinds of things in a number of industries, including computing.