Your Heartbeat Can Give Away Your Identity, Like a Fingerprint
Our heartbeats differ just enough to tell us apart, but they also give away potentially sensitive information
Heartbeats, like our fingerprints and faces, are unique. The distinctive waveforms generated by a heart’s expansions and contractions differ just enough from person to person that they can be used to tell us apart. That means heartbeats could serve as a biometric — a unique physiological characteristic that can be used to identify a person. Some scientists think a heartbeat could be a better identifier than the fingerprints we use to unlock phones today.
Startups today make unobtrusive heart monitors that can detect drowsiness behind the wheel of a car or offer perpetual user authentication in high-security manufacturing facilities. These monitors could eventually replace fingerprint scanners on smartphones, or the key fobs we use to enter office buildings.
“As a security researcher, absolutely, I would pick ECG over fingerprint scanners or basically anything else that we use at the moment,” Simon Eberz, a research associate with the University of Oxford’s department of computer science, tells OneZero.
But authentication via heartbeat comes with its own unique privacy concerns, not least of which is that a heartbeat is a window into someone’s emotional state and health status. The potential misuse of a biometric that’s hidden inside us and that provides data every second is hard to ignore.
Heartbeats offer continuous authentication. Whereas we enter passwords or scan our fingers once to access secure applications, a heartbeat could effectively send out a password every second.
Using a heartbeat to identify someone is relatively simple. A heartbeat is regulated by cells that send out regular pulses of electricity telling the heart muscles to expand and contract, pumping blood throughout the body. Those bursts of electricity create a waveform that can be measured by an electrocardiogram (ECG).
“[It’s] something that can be relatively distinctive, simply because different people have different cardiovascular systems, differently shaped heart muscles, and so on,” says Eberz. Like the whorls of a fingerprint, slight variations in the amplitudes of the peaks and troughs of an ECG wave pattern, and the distances between them, are unique to each person.
And, as the authors of a 2016 paper showed, heartbeats offer continuous authentication. Whereas we enter passwords or scan our fingers once to access secure applications, a heartbeat could effectively send out a password every second.
Today, the technology has advanced to the point that portable ECG scanners could work in the real world. In research published in March, researchers from Germany showed they could track people outside of the lab using chest ECG readers. They were able to identify people based only on their heartbeat data although their error rates hovered between 10% and 20%.
Technological advances are making commercial applications of ECG biometrics possible. Nymi, a Toronto-based company, makes an ECG wristband for manufacturing facilities that require high levels of security. Their device provides continuous authentication for workers wearing the wristband.
Heartbeats offer some advantages traditional biometrics lack, says Andre Lourenco, a visiting professor at Instituto Superior de Engenharia de Lisboa who studies ECG biometrics and is the CEO of CardioID, a company working on integrating an ECG monitor into steering wheels.
“You can leave your fingerprint everywhere. If you put your hand on a glass, your fingerprint will be there,” he says. Similarly, high-resolution photographs can contain enough information for facial or even iris recognition programs to work. Our heartbeats, by contrast, do not leave our biometric data sitting out in the open.
CardioID’s technology can obtain heartbeat data from just the pulse in someone’s fingers, Lourenco says. Traditional ECGs require leads attached to the body. CardioID’s goal is to use ECG data to monitor whether drivers are falling asleep at the wheel and alert them. In the future, it could be used to detect driver intoxication as well, Lourenco says.
He envisions CardioID’s technology eventually being used by commercial drivers to identify themselves at various points along their route without ever leaving their vehicle. Continuous ECG monitoring could provide real-time authentication, cutting down on the regular paperwork drivers must file during their routes. Some day, it could even integrate into a larger authentication network for seamless identification no matter where you are.
“You go from one place to another without having to wear anything and you are being constantly authenticated,” he says. That’s good for workers who need to constantly identify themselves, or companies that desire extra security. But continuous identification also means that workers’ movements could be tracked in far greater detail than before. And if ECG data is stolen, it represents a theft of medical information — and also opens the doors to hackers.
But even heartbeats are prone to hacking.
If an attacker gained access to your ECG data, they could use it to fool a heart monitoring device. Eberz and a group of researchers at Oxford showed this was possible in 2017 when they used faked ECG data to fool a Nymi band into providing fraudulent authentication. It was actually fairly easy, Eberz says.
They encoded participants’ ECG signals as audio files and fed the resulting waveforms into the Nymi band from both a laptop soundcard and a smartphone, Eberz says. “The technological barrier for this is basically zero. The total hardware cost for everything is probably about $20.”
That said, Eberz believes ECG biometric devices will become much harder to hack. It was once possible to fool fingerprint scanners with a latex mold of a finger, he says, but the devices are far more sophisticated today.
If anything, he thinks ECG signals are actually safer as a biometric compared to fingerprints, faces, and irises. Heartbeats are harder to obtain and there is some inherent noise in ECG recordings that a hacker might find hard to replicate, giving their attack away.
But for now, ECG monitors still have a few problems to work through. Even the best systems have error rates of 1% or more, and much higher when using data that’s gathered outside of a medical setting. Also, there’s been very little testing of ECG biometric systems in the real world. New issues might crop up when heartbeat monitoring is tested on a wider scale.
And getting an ECG reading requires a full heartbeat which takes around a second — far slower than the nearly instantaneous fingerprint readers we have today. Consumers, says Eberz, may not tolerate the lag time.
The permanent nature of a biometric also increases the potential risks if the data is stolen — one data breach could give away your identity permanently.
In addition to the technological challenges, using heartbeats as a biometric brings with it legal and ethical concerns a fingerprint doesn’t. An ECG recording could contain sensitive information about a person’s emotions and health. Giving an employer or private company access to that information could potentially lead to discrimination — using an employee’s heart condition as an excuse to let them go, for example.
There’s also the fact that biometrics, unlike passwords, cannot be changed. Once you give away your fingerprint or heartbeat, that data remains tied to your identity forever.
It means that biometric data initially collected to allow employees to enter an office building, for example, could be used later on to identify people in situations they haven’t agreed to, says Els Kindt, a post-doctoral researcher at the Centre for IT & IP Law at Katholieke Universiteit Leuven in Belgium. The permanent nature of a biometric also increases the potential risks if the data is stolen — one data breach could give away your identity permanently.
One way to make biometrics safer is to alter them before they are stored, Kindt says. Essentially, this means encrypting biometric data so that it’s assigned a random identifier specific to a given context. So if your ECG data was hacked, it couldn’t be linked up with ECG recordings from other databases, helping to preserve your identity.
Lourenco says CardioID already does this. “We are never using the ECG signal itself,” he says. “So it’s not possible to use it for other things than what it is designed for.”
At the moment, it’s unclear where heartbeat biometrics will show up in the future. They might indeed become part of everyday authentication systems, letting us into our cars and office buildings. But it’s also possible our beating hearts might find a use only in far more specific situations where the privacy risks are offset by the higher security a heartbeat offers. Or, heartbeats might become a complementary biometric, augmenting fingerprint and face scanners. Our hearts, after all, are just one of the many things that make us unique.