Open-heart nerdery: Boffins suggest identifying and logging in people using ECGs

The end of biometrics

The way things are going, with continual search for new, unique methods of indentity verification, the bottom line will be rectal print detection.

Everyone will need trapdoor trousers and will have to sit on a rectal scanner to verify who they are after the thumb print, retinal and ECG scanners.

Whenever I've had an ECG I've had to take off my shirt and have about eight contacts stuck to my torso. That alone should be enough to discourage hackers.

Novel? - Some 8 years late!!!

https://nymi.com

<quote> Nymi was founded in 2011 in Toronto, Canada, based on research conducted at the University of Toronto. The research was focused on the electrocardiogram (ECG) and its unique properties. The ECG is different for each individual, and our founding team worked to use the heartbeat as a biometric identifier for authentication.</quote>

When will people learn that biometrics are a username not a password?

Another stupid idea looking for a budget.

Boom boody-boom boody-boom boody-boom

Goodness gracious me!

Remote Detection with pacemakers...

It is little known, but some pacemakers can be remotely interrogated for things like checking ECG patterns and adjusting the pacemaker accordingly... If the pacemaker belongs to a 'person of interest', (+ - 10%) the pacemaker can also be 'LoJjacked' for convenient apprehension.

Another metrics that can't be safely replaced, as a password could be.

Unless a person can replace their fingerprint, ECG pattern, iris patterns etc etc, this is a security nightmare - as soon as criminals learn how to own and use someone else' metrics (and it's only a matter of time), that will be a nightmare.

Sceptical

I haven't read the article in depth but the summary sounds highly dubious to me, having interpreted thousands of ECGs over my career as a doctor.

The sad fact is that ECGs often change markedly over time, for a variety of reasons. Most commonly, simply subtly different placement of the electrodes may give a different picture. Heart/lung surgery will inevitably cause an alteration of the ECG. Arrthymias (commonly atrial fibrillation, which 1 in 5 will get at some point) dramatically alters the ECG, and there are a multitude of other less common arrthymias that will do the same. And yes, a heart attack will also do it, most commonly altering the ST segment (bit between the 2nd and 3rd squiggle), or the T wave (3rd squiggle). The shape of the ECG complexes can also be altered markedly by something as minor as high or low plasma potassium level, so if you eat a whole bunch (pun intended) of bananas you might be screwed for biometric access to your device. Perhaps bananas are a bad example as you have to eat a LOT to dramatically alter potassium level, but my point is that food and particularly medications like diuretics could have a significant impact on your ECG.

In terms of faking your ECG (i.e faking your biometrics), simulation mannequins are used extensively in medical training now. You wouldn't believe how life-like these massively expensive mannequins can be, and that extends to actually providing a completely realistic ECG when the electrodes are applied to the mannequin. For example in a simulation session I can make the mannequin appear to have whatever heart rhythm I want (eg. atrial fibrillation, ventricular fibrillation, heart attack etc etc) at the tap of an iPad button. I would have thought it pretty easy to provide a fake ECG for biometric authentication purposes as well if you have access to the person's original ECG, using the same technology which is already in common use.

I reckon you're better off with the rectal print authentication as previously suggested, it sounds like a less s**t method.

Like all of Biometrics it's not a very smart idea

I mean ECG is even easier to fake than fingerprints or irises. You only need a signal generator. Granted, there is a tiny advantage as you don't leave your ECG lying around you as you do with fingerprints, but in times when there are ECG watches running untrustable software, that's hardly an advantage.

What "error rate"?

"[...] error rate of about 2.4 per cent over short durations of time[...], but found that over longer periods between readings, the error rate goes up to around 9 per cent."

False positives, false negatives, something else?

If it's a false negative, there's up to a 9% chance your car won't let you drive this morning. If it's a false positive, there's up to a 9% chance that someone else will be able to steal your car.

Having done some work in the past on EEG signals, my impression is that the characteristics of physiological processes (as opposed to physiological characteristics such as finger prints and iris patterns) are excessively prone to change to be usable as a long term stable reference. Levels of excitation, illness and many other factors can play havoc with such signals.

If fingerprint sensors currently have an "error rate" of about 2.4%, we need better fingerprint sensors rather than trying to rely on some different highly variable biometric signal. I guess a lot of research of this kind is done because it attracts grants, rather than because it's likely to yield useful results in the real world.

As much as I understand the problem behind biometrics, the problem behind the problem is that we still really need an alternative that doesn't rely on fallible and likely failing human memory. Any ideas?