Biometrics on the beat

Forget fingerprint identification, face recognition or retinal scanning, scientists are developing a computer security system that uses low-level ‘Doppler’ radar to identify a person by the unique rhythms and dimensions of their heart. Biometric authentication currently makes hacking into a phone or computer far harder than simply guessing or stealing a password, but traits as unique as a person’s fingerprint, voice, or even their face, can be stolen and ‘spoofed’ to bypass these protections. This is a particular problem in the age of social media, as many are making their faces, voices and sometimes even their fingerprints publicly available through photographs and videos of themselves. The new ‘cardiac password’ system, three years in the making, is potentially a safe and more effective alternative to passwords and other biometric identifiers, say its creators. The data used for authentication is not simply a person’s pulse or BPM (beats per minute), but a unique signature created by the heart that is undetectable by the naked eye and ear. “No two people with identical hearts have ever been found,” said Dr Wenyao Xu, co-author of the study and an assistant professor in the Department of Computer Science and Engineering at the University at Buffalo’s School of Engineering and Applied Sciences. “And people’s hearts do not change shape, unless they suffer from serious heart disease. We would like to use it for every computer because everyone needs privacy.” Researcher and associate professor of electrical engineering Dr Changzhi Li of Texas Tech University, who co-authored the study, said they were working to develop a device that can not only read the waveforms and differentiate between people, but be trained to adapt to a variety of different situations, such as when a person is exercising. They hope it could eventually be used for smartphones and for screening at airports. The new system has several advantages over current biometric tools, such as fingerprints and retinal scans, Dr Xu said. First, it is a passive, non-contact device, so users are not ‘bothered’ with authenticating themselves whenever they log-in. Second, it monitors users constantly. This means the computer or smartphone will not operate if a different person is in front of, or holding, it – and equally people do not have to remember to log off when away from their devices. Heart-based biometrics systems have been used for almost a decade, primarily with electrodes measuring electrocardiogram signals, but no one has previously created a non-contact remote device to characterise the geometry traits of the heart for identification. According to the researchers, the system needs around eight seconds to scan a heart the first time, after which the monitor will continuously recognise it. The signal strength of the system’s radar is also much weaker than wi-fi so does not pose any health threat. “We are living in a wi-fi surrounding environment every day, and the new system is as safe as those wi-fi devices,” Dr Xu said. “The reader is about five milliwatts, even less than one per cent of the radiation from our smartphones.” Because the heart is inside the body, and most people do not post their ECG (electrocardiogram) waveforms on social media, heartbeat waveforms could be a more secure and less “hackable” biometric, although Dr Li and his colleague still anticipate challenges and are determining how secure the system is and how it can be made as “spoof-proof” as possible. “Whenever there’s a new technology, people always find out the breach. What we are trying to do is to provide something that is robust enough so that it’s going to be very difficult for other people to really break through,” said Dr Li. “One scenario is, when I am at a public place, somebody else may also use a device to secretly pick up my heartbeat waveform and they may go back and make a phantom to mimic this kind of waveform. However, on the other side, mimicking a heartbeat waveform is not that easy, so really our question is how difficu