As far as computer security is concerned, passcodes, Touch ID, and iris scanning are so September 2016. These days, it seems all the cool kids are looking at brain wave detection as the next frontier in unbeatable passwords. Brain passwords are a thing of the future and might be the most secure option to date.

That’s certainly what Abdul Serwadda, a cybersecurity expert and assistant professor in the department of computer science at Texas Tech University, is focused on. In new research, he looks at work being done into how brain waves — obtained from an electroencephalogram, or EEG — can be used to authenticate users with a high degree of accuracy. Such technology, which requires users to wear an EEG device on their head to measure brain activity, is also being used by brain-sensing apps.

The technology offers a number of exciting possibilities, such as being more than a “login time” approach to security, which only checks a person’s identity when they first log in to a system. With brain waves, a sensor can record a person’s brain waves continuously while they work on a computer, and then use them to periodically determine if the user is still the identified individual. However, Serwadda points out a potentially dangerous flaw in such brain-scanning technology: that it could potentially reveal incredibly sensitive data about a user. According to the security expert, the type of information that could be inferred from brain waves includes medical conditions, personality traits, emotions, drug use behavior, and more.

“Authentication using brainwaves probably has a long way to go,” Serwadda told Digital Trends. “However, there are other applications of brain waves which would face the same threats. For example, certain gaming apps on the market use brain waves. Our findings have implications for a wide range of apps, not just authentication. The fact that authentication is yet to take off does not mean that the threat is not here yet.” Nor is he just worried about black hat hackers. “You don’t even have to go to hackers to find who will abuse this,” he said. “The app developer who posts a brain measuring app on the market is the first guy who might abuse this. The app can do whatever it likes with the data and communicate over the internet to send ‘its findings’ to the malicious app developer.”

As he notes, this technology is still in its relative infancy — but it demonstrates again why even complicated biometric passwords come with their own major security issues. And when it comes to our brain data being fed back to internet villains, suddenly good old-fashioned passwords seem a whole lot less risky.