We present a novel idea for user authentication that we call pass-thoughts. Recent advances in Brain-Computer Interface (BCI) technology indicate that there is potential for a new type of human-computer interaction: a user transmitting thoughts directly to a computer. The goal of a pass-thought system would be to extract as much entropy as possible from a user's brain signals upon "transmitting" a thought. Provided that these brain signals can be recorded and processed in an accurate and repeatable way, a pass-thought system might provide a quasi two-factor, changeable, authentication method resistant to shoulder-surfing. The potential size of the space of a pass-thought system would seem to be unbounded in theory, although in practice it will be finite due to system constraints. In this paper, we discuss the motivation and potential of pass-thought authentication, the status quo of BCI technology, and outline the design of what we believe to be a currently feasible pass-thought system. We also briefly mention the need for general exploration and open debate regarding ethical considerations for such technologies.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Martín Abadi , Michael Burrows , C. Kaufman , Butler W. Lampson, Authentication and Delegation with Smart-cards, Proceedings of the International Conference on Theoretical Aspects of Computer Software, p.326-345, September 24-27, 1991
	2	Michael A. Arbib, The Handbook of Brain Theory and Neural Networks, MIT Press, Cambridge, MA, 2002
	3	Steven M. Bellovin , Michael Merritt, Encrypted Key Exchange: Password-Based Protocols SecureAgainst Dictionary Attacks, Proceedings of the 1992 IEEE Symposium on Security and Privacy, p.72, May 04-06, 1992
	4	N. Bierbaumer, N. Ghanayim, T. Hinterberger, I. Iversen, B. Kotchoubey, A. Kubler, J. Perelmouter, E. Taub, and H. Flor. A Spelling Device for the Paralyzed. Nature, 398:297--298, 1999.
	5	N. Birbaumer, A. Kubler, N. Ghanayim, T. Hinterberger, J. Perelmouter, J. Kaiser, I. Iversen, and B. Kotchoubey. The Thought Translation Device (TTD) for Completely Paralyzed Patients, 2000.
	6	J.-C. Birget, D. Hong, and N. Memon. Robust Discretization, With an Application to Graphical Passwords. Cryptology ePrint Archive, Report 2003/168, 2003. http://eprint.iacr.org/, site accessed Jan. 12, 2004.
	7	M. Blum and N. J. Hopper. A Secure Human-Computer Authentication Scheme, 2000. http://www.aladdin.cs.emu.edu/papers/pdfs/y2001/manuel_blum.pdf, accessed Mar. 16, 2005.
	8	S. Brostoff. Improving Password System Effectiveness. PhD thesis, University College London, 2004.
	9	V. Brower. When Mind Meets Machine. EBMO Reports, 6(2):108--110, 2005.
	10	CERT Coordination Center. Vulnerabilities, Incidents, and Fixes, http://www.cert.org.
	11	Mark D. Corner , Brian D. Noble, Zero-interaction authentication, Proceedings of the 8th annual international conference on Mobile computing and networking, September 23-28, 2002, Atlanta, Georgia, USA  [doi>10.1145/570645.570647]
	12	J. Daugman. How Iris Recognition Works. IEEE Transactions on Circuits and Systems for Video Technology, 14(1):21--30, 2004.
	13	D. Davis, F. Monrose, and M. K. Reiter. On User Choice in Graphical Password Schemes. In 13th USENIX Security Symposium, 2004.
	14	R. Dhamija and A. Perrig. Déjà Vu: A User Study Using Images for Authentication. In 9th USENIX Security Symposium, 2000.
	15	Whitfield Diffie , Paul C. Van Oorschot , Michael J. Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography, v.2 n.2, p.107-125, June 1992  [doi>10.1007/BF00124891]
	16	Y. Dodis, L. Reyzin, and A. Smith. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data. In Eurocrypt 2004, pages 523--540, 2004.
	17	E. Donchin, K. M. Spencer, and R. Wijesinghe. The Mental Prosthesis: Assessing the Speed of a P300-Based Brain-Computer Interface. IEEE Transactions on Rehabilitation Engineering, 8:174--179, 2000.
	18	M. Doppelmayr, W. Klimesch, T. Pachinger, and B. Ripper. Individual Differences in Brain Dynamics: Important Implications for the Calculation of Event-Related Brain Power, 1998.
	19	D. E. Duncan. Implanting Hope. Technology Review: MIT's Magazine of Innovation, 108(3):48--54, 2005.
	20	T. Elbert, C. Pantev, C. Wienbruch, B. Rockstroh, and E. Taub. Increased Cortical Representation of the Fingers of the Left Hand in String Players. Science, 270:305--307, 1995.
	21	Electro-cap International, Inc. Electro-Cap Price List: Electro-Cap. http://www.electro-cap.com, site accessed Aug. 27, 2005.
	22	S. Granger. Social Engineering Fundamentals, Part I: Hacker Tactics, 2001. http://www.securityfocus.com/infocus/1527, site accessed Mar. 22, 2005.
	23	ISI Web of Knowledge. Analysis: Brain Computer Interface Search Results, 2005.
	24	David P. Jablon, Strong password-only authenticated key exchange, ACM SIGCOMM Computer Communication Review, v.26 n.5, p.5-26, Oct. 1996  [doi>10.1145/242896.242897]
	25	Anil K. Jain , Robert P. W. Duin , Jianchang Mao, Statistical Pattern Recognition: A Review, IEEE Transactions on Pattern Analysis and Machine Intelligence, v.22 n.1, p.4-37, January 2000  [doi>10.1109/34.824819]
	26	Wayne Jansen, Serban Gavrila, Vlad Korolev, Rick Ayers, and Ryan Swanstrom. Picture Password: A Visual Login Technique for Mobile Devices. National Institute of Standards and Technology Interagency Report (NISTIR) 7030, 2003. http://csrc.nist.gov/publications/nistir/nistir-7030.pdf, site accessed Mar. 22, 2004.
	27	I. Jermyn, A. Mayer, F. Monrose, M. Reiter, and A. Rubin. The Design and Analysis of Graphical Passwords. 8th USENIX Security Symposium, 1999.
	28	A. Juels and M. Sudan. A Fuzzy Vault Scheme. In IEEE International Symposium on Information Theory, 2002.
	29	M. Just and P. C. van Oorschot. Addressing the problem of undetected signature key compromise. In NDSS, 1999.
	30	I. Kerr. So Trendy, So Convienient - So Dangerous to our Privacy, July 31, 2004. Vancouver Sun, available at: http://anonequity.org/en3/July31-Van_Sun-Baja_Beach_Club.pdf.
	31	D. Klein. Foiling the Cracker: A Survey of, and Improvements to, Password Security. In The 2nd USENIX Security Workshop, pages 5--14, 1990.
	32	A. Kostov and M. Polak. Parallel Man-Machine Training in Development of ECG-Based Cursor Control. IEEE Transactions on Rehabilitation Engineering, 8:203--204, 2000.
	33	LC Technologies Inc. Eyegaze Systems. http://www.eyegaze.com, site accessed Mar. 22, 2005.
	34	Hansheng Lei , Venu Govindaraju, A comparative study on the consistency of features in on-line signature verification, Pattern Recognition Letters, v.26 n.15, p.2483-2489, November 2005  [doi>10.1016/j.patrec.2005.05.005]
	35	T. Matsumoto, H. Matsumoto, K. Yamada, and S. Hoshino. Impact of Artificial "Gummy" Fingers on Fingerprint Systems. In Rudolf L. van Renesse, editor, SPIE Optical Security and Counterfeit Deterrence Techniques IV, volume 4677, pages 275--289, April 2002.
	36	José del R. Millán, Adaptive brain interfaces, Communications of the ACM, v.46 n.3, p.74-80, March 2003  [doi>10.1145/636772.636773]
	37	J. R. Millan, J. Mourino, M. Franze, F. Cincotti, M. Varsta, J. Heikkonen, and F. Babiloni. A Local Neural Classifier for the Recognition of EEG Patterns Associated to Mental Tasks. IEEE Transactions on Neural Networks, 13(3):678--686, 2002.
	38	Fabian Monrose , Michael K. Reiter , Qi Li , Susanne Wetzel, Cryptographic Key Generation from Voice, Proceedings of the 2001 IEEE Symposium on Security and Privacy, p.202, May 14-16, 2001
	39	F. Monrose, M. K. Reiter, and S. Wetzel. Password Hardening based on Keystroke Dynamics. International Journal of Information Security, 1(1):69--83, 2001.
	40	Arvind Narayanan , Vitaly Shmatikov, Fast dictionary attacks on passwords using time-space tradeoff, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102168]
	41	Neurosky. Neurosky Home Page. http://www.neurosky.com, site accessed Oct. 31, 2005.
	42	M. A. L. Nicolelis and J. K. Chapin. Controlling Robots with the Mind. Scientific American, 289(4):46--53, 2002.
	43	R. Palaniappan and K. V. R. Ravi. A New Method to Identify Individuals Using Signals from the Brain. In 4th International Conference on Information Communications and Signal Processing and 4th Pacific-Rim Conference on Multimedia (ICICS-PCM 2003), pages 1442--1445, 2003.
	44	R. B. Paranjape, J. Mahovsky, L. Benedicenti, and Z. Koles. The Electroencephalogram as a Biometric. In The Canadian Conference on Electrical and Computer Engineering, pages 1363--1366, 2001.
	45	A. Perrig and D. Song. Hash Visualization: a New Technique to Improve Real-World Security. In International Workshop on Cryptographic Techniques and E-Commerce, pages 131--138, 1999.
	46	Benny Pinkas , Tomas Sander, Securing passwords against dictionary attacks, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA  [doi>10.1145/586110.586133]
	47	Réjean Plamondon , Sargur N. Srihari, On-Line and Off-Line Handwriting Recognition: A Comprehensive Survey, IEEE Transactions on Pattern Analysis and Machine Intelligence, v.22 n.1, p.63-84, January 2000  [doi>10.1109/34.824821]
	48	Real User Corporation. About Passfaces. http://www.realuser.com, site accessed May 24, 2004.
	49	A. R. Roddy and J. D. Stosz. Fingerprint Features - Statistical Analysis and System Performance Estimates. Proceedings of the IEEE, 85(9):1390--1421, 1996.
	50	P. Ross. Mind Readers. Scientific American, 289(3):74--77, 2003.
	51	Volker Roth , Kai Richter , Rene Freidinger, A PIN-entry method resilient against shoulder surfing, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030116]
	52	Leonardo Sobrado and J.-C. Birget. Graphical Passwords. The Rutgers Scholar: An Electronic Bulletin of Undergraduate Research, Volume 4, 2002. http://rutgersscholar.rutgers.edu/volume04/sobrbirg/sobrbirg.htm, site accessed Mar. 22, 2004.
	53	E. H. Spafford, Crisis and aftermath, Communications of the ACM, v.32 n.6, p.678-687, June 1989  [doi>10.1145/63526.63527]
	54	S. Stubblebine and P. C. van Oorschot. Addressing Online Dictionary Attacks with Login Histories and Humans-in-the-Loop. In Financial Cryptography'04. Springer-Verlag LNCS 3110, 2004.
	55	G. Tally, R. Thomas, and T. Van Vleck. Anti-Phishing: Best Practices for Institutions and Consumers, March 2004. http://www.networkassociates.com/us/_tier2/product/_media/mcafee/wp\_a%ntiphishing.pdf, site accessed Mar. 22, 2005.
	56	J. Thorpe and P. C. van Oorschot. Graphical Dictionaries and the Memorable Space of Graphical Passwords. In 13th USENIX Security Symposium, 2004.
	57	Julie Thorpe , P. C. van Oorschot, Towards Secure Design Choices for Implementing Graphical Passwords, Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC'04), p.50-60, December 06-10, 2004  [doi>10.1109/CSAC.2004.44]
	58	T. M. Vaughan, W. J. Heetderks, L. J. Trejo, W. Z. Rymer, M. Weinrich, M. M. Moore, A. Kubler, B. H. Dobkin, N. Birbaumer, E. Donchin, E. W. Wolpaw, and J. R. Wolpaw. Brain-computer interface technology: A review of the Second International Meeting, 2003.
	59	K. Warwick, M. Gasson, B. Hutt, I. Goodhew, P. Kyberd, H. Schulzrinne, and X. Wu. Thought Communication and Control: a First Step Using Radiotelegraphy. IEEE Proc. Commun., 151 (3):185--189, 2004.
	60	Susan Wiedenbeck , Jim Waters , Jean-Camille Birget , Alex Brodskiy , Nasir Memon, PassPoints: design and longitudinal evaluation of a graphical password system, International Journal of Human-Computer Studies, v.63 n.1-2, p.102-127, July 2005  [doi>10.1016/j.ijhcs.2005.04.010]
	61	G. M. Wilson and M. A. Sasse. From Doing to Being: Getting Closer to the User Experience. Interacting with Computers, 16:697--705, 2004.
	62	J. R. Wolpaw, N. Birbaumer, D. J. McFarland, G. Pfurtscheller, and T. M. Vaughan. Brain-Computer Interfaces For Communication and Control. Clinical Neurophysiology, 113:767--791, 2002.
	63	Jianxin Jeff Yan, A note on proactive password checking, Proceedings of the 2001 workshop on New security paradigms, September 10-13, 2001, Cloudcroft, New Mexico  [doi>10.1145/508171.508194]
	64	Jianxin Yan, Alan Blackwell, Ross Anderson, and Alasdair Grant. The Memorability and Security of Passwords -- Some Empirical Results. Technical Report No. 500, Computer Laboratory, University of Cambridge, 2000. http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf, site accessed September 6, 2004.
	65	Li Zhuang , Feng Zhou , J. D. Tygar, Keyboard acoustic emanations revisited, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA  [doi>10.1145/1102120.1102169]