Given that the heart’s electrical signals measured by electrocardiograms (ECGs) are already known to be individual to each person, this isn’t as far-fetched as it sounds.
But uniqueness isn’t the only requirement for authentication – the chosen method (in this case heart ECGs) must also be invariable enough over time and be practicable in terms of the equipment needed to measure it.
And while consumer-level ECG monitors can be bought quite cheaply, that doesn’t mean they are also accurate and easy enough to use correctly by a security application.
As explained in A Key to Your Heart: Biometric Authentication Based on ECG Signals, researchers Nikita Samarin from University of California Berkeley, and Donald Sannella from Edinburgh University decided to put the idea to the test experimentally.
First, they twice collected ECGs from 49 healthy men and women over a four-month period, using a $99 home monitor and smartphone app setup.
Comparing the two readings, the researchers established that error rates over a short period of time – a single reading – were an encouraging 2.4%, a result better than most previous studies making the same measurement.
That’s also in line with the upper error rates of fingerprint readers:
The results presented in this work provide a positive perspective on ECG-based biometrics, by showing that individuals can be authenticated by using their ECG trace.
However, the authors acknowledge that ECG biometrics “degrade” or change over time, for which they suggest:
Improving the performance of ECG over longer periods of time could be done by synchronizing the stored biometric with the new signal after each successful authentication.
In other words, using the heart as an authentication mechanism is feasible but only if the subject re-enrols their ECG at regular intervals to counter natural changes.
That doesn’t rule out the idea but perhaps hints that ECGs might be appropriate for high-security environments when used in conjunction with other biometric identifiers such as fingerprints.
ECGs also face the same worries as any biometric security systems in that the data they collect represents a target that criminals are bound to be interested in stealing.
Once compromised, biometrics cannot be easily revoked, as they depend on persistent physiological or behavioral characteristics of an individual.
Adding someone’s ECG to this would meet opposition from privacy campaigners who might point out that the tech industry doesn’t exactly have a spotless reputation for defending valuable data – and that’s before considering potential abuses by governments.
Or perhaps biometrics are just an inevitable part of the dawning era of smart authentication and people should acclimatise themselves to risks that are offset by the benefit for cybersecurity.