Skip to content
Naked Security Naked Security

Are heart monitors the next big thing in biometrics?

After fingers, the iris of the eye, ears and even lips, it was probably inevitable that someone would propose the human heart might be the next big thing in biometric security.

After fingers, the iris of the eye, ears and even lips, it was probably inevitable that someone would propose the human heart as the next big thing in biometric security.

Given that the heart’s electrical signals measured by electrocardiograms (ECGs) are already known to be individual to each person, this isn’t as far-fetched as it sounds.

But uniqueness isn’t the only requirement for authentication – the chosen method (in this case heart ECGs) must also be invariable enough over time and be practicable in terms of the equipment needed to measure it.

And while consumer-level ECG monitors can be bought quite cheaply, that doesn’t mean they are also accurate and easy enough to use correctly by a security application.

As explained in A Key to Your Heart: Biometric Authentication Based on ECG Signals, researchers Nikita Samarin from University of California Berkeley, and Donald Sannella from Edinburgh University decided to put the idea to the test experimentally.

First, they twice collected ECGs from 49 healthy men and women over a four-month period, using a $99 home monitor and smartphone app setup.

Comparing the two readings, the researchers established that error rates over a short period of time – a single reading – were an encouraging 2.4%, a result better than most previous studies making the same measurement.

That’s also in line with the upper error rates of fingerprint readers:

The results presented in this work provide a positive perspective on ECG-based biometrics, by showing that individuals can be authenticated by using their ECG trace.

However, the authors acknowledge that ECG biometrics “degrade” or change over time, for which they suggest:

Improving the performance of ECG over longer periods of time could be done by synchronizing the stored biometric with the new signal after each successful authentication.

In other words, using the heart as an authentication mechanism is feasible but only if the subject re-enrols their ECG at regular intervals to counter natural changes.

That doesn’t rule out the idea but perhaps hints that ECGs might be appropriate for high-security environments when used in conjunction with other biometric identifiers such as fingerprints.

ECGs also face the same worries as any biometric security systems in that the data they collect represents a target that criminals are bound to be interested in stealing.

Once compromised, biometrics cannot be easily revoked, as they depend on persistent physiological or behavioral characteristics of an individual.

Adding someone’s ECG to this would meet opposition from privacy campaigners who might point out that the tech industry doesn’t exactly have a spotless reputation for defending valuable data – and that’s before considering potential abuses by governments.

Or perhaps biometrics are just an inevitable part of the dawning era of smart authentication and people should acclimatise themselves to risks that are offset by the benefit for cybersecurity.


I think the idea of recording the value each time a user authenticates and storing that could be really powerful. For ECG, the authentication could be partly based on the discreet recording at that moment against the reference, and partly on the trend. For example if a user is going to the gym 3 times a week their ECG would trend in a particular way, so even if you recorded a user’s ECG from a month ago and tried to spoof with it, you could pass the reading/reference check but would fall foul of the trend check.

You could store all this on a blockchain for security and obfuscation.


In the not-so-distant future, pranksters of yesteryear will find latent, delayed identity theft to be an unanticipated side effect of blithely sitting on the office photocopier.


Thanks for a good chuckle, Bryan. :)


I may not always have anything constructive to say,** but I’m usually good for a wise crack***
** (Dad might propose words like seldom)
*** (no dissent from Dad on this one, aside on the word “wise”)


So if you suddenly get a heart arrhythmia (like someone I know), you won’t be able to get into your phone to call for an ambulance? Actually you can usually call 112 on any locked phone, but my point is that biometrics that can have sudden changes are surely not the way to go. Will the stress of not being unable to unlock your phone create sufficient change that you are less likely to be able to match …..


Maybe biometric security will evolve into multi-factor authentication, requiring a “score” over a certain value, made up of say, iris, fingerprints, face, voice, ECG…like the points added up for identification documents (passport, driver’s licence, social security card etc.).


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!