back to article Open-heart nerdery: Boffins suggest identifying and logging in people using ECGs

Biometric systems could use the unique patterns from a person's ECG reading for biometric sign-ons. This is according to a study (PDF) emitted this month by a trans-Atlantic pair of brains at UC Berkeley in the US and the University of Edinburgh in Scotland, who reckon electrocardiogram results are easy enough to measure, and …

  1. Michael H.F. Wilkinson

    New technology spawns new problems (or at least excuses)

    I have this vision of some of our students not being able to log in when the characteristic patterns of their ECG are disturbed by some attractive student walking by. Even if there weren't any problems I can just see this as the latest excuse for not handing in work on time. It also might create a whole new privacy issue.

    Student: "Sir, I was late handing in because I was too excited by the results I got in the lab! My heart rate was way off the scale"

    Lecturer from Hell: "I can see from the log you were excited, but our AI doubts the lab results caused that"

    1. ibmalone

      Re: New technology spawns new problems (or at least excuses)

      Or after pulling an all-nighter revising / finishing coursework. Good news when you turn up half an hour before that 12pm deadline and are too frazzled for the machine to let you submit!

      (And of course all the other stuff about biometrics being usernames not passwords, but it doesn't seem like anyone is actually listening on that...)

    2. Mark 85

      Re: New technology spawns new problems (or at least excuses)

      Worse than that. What happens when you need to unlock your phone to call emergency medical services while having a cardiac event.

      1. ibmalone

        Re: New technology spawns new problems (or at least excuses)

        This at least is okay, mobile phones let you make emergency calls without unlocking.

        Also worth knowing: on both iPhone and Android you can set emergency medical information including, an emergency contact, that can be accessed without unlocking the phone (think first responders): Although if you have a serious condition you probably want to carry the information in hard-copy form.

        1. Anonymous Coward
          Anonymous Coward

          Re: New technology spawns new problems (or at least excuses)

          if you have a serious condition you would be better off with a bracelet. The emergency services are going to go for that rather than risk potential accusations as they rifle through your pockets looking for that shiny new £1000 fondleslab... which may have already found it's way in to the pocket of that very helpful bystander who just seems to have disappeared into the crowd

  2. Chris G

    The end of biometrics

    The way things are going, with continual search for new, unique methods of indentity verification, the bottom line will be rectal print detection.

    Everyone will need trapdoor trousers and will have to sit on a rectal scanner to verify who they are after the thumb print, retinal and ECG scanners.

    1. Rich 11

      Re: The end of biometrics

      That would give an entirely new meaning to the phrase 'log in'.

      1. Korev Silver badge

        Re: The end of biometrics

        Hopefully they'll flush the buffers before they start

        1. Fungus Bob

          Re: The end of biometrics

          Of course they'll flush the buffers. My question is who will buff the flushers?

      2. Teiwaz

        Re: The end of biometrics

        That would give an entirely new meaning to the phrase 'log in'.

        You'd log out to login, and logging in would make your hair stand up

    2. JohnMurray

      Re: The end of biometrics

      They could use a rectal ultrasound probe to scan the shape of you spine etc....although how that could be accommodated at an airline check-in desk is another story..

    3. Anonymous Coward
      Anonymous Coward

      Re: The end of biometrics

      Why not a redundant or multiple measure system?

      This goes in your mouth. This one goes in your ear. And this one goes in your butt.

      No, wait...

    4. Fruit and Nutcase Silver badge

      Re: The end of biometrics

      new, unique methods of identity verification, the bottom line will be rectal print detection.

      That would be the very latest in (Number) 2-Factor Authentication

    5. Myvekk

      Re: The end of biometrics

      I'm reminded of accessing the War Room in Monsters vs. Aliens...

    6. Anonymous Coward
      Anonymous Coward

      Re: The end of biometrics

      I can't remember the movie that a butt scan was in. It was an animated kids movie. Maybe somebody can help me out before my pulse gets to high to log in

  3. Whitter
    Thumb Down

    What a dreadful idea

    Its a 30 second recording of ECG taken by that device.

    A 30 second log-in? I think not.

  4. Kubla Cant

    Whenever I've had an ECG I've had to take off my shirt and have about eight contacts stuck to my torso. That alone should be enough to discourage hackers.

    1. I ain't Spartacus Gold badge

      Especially when you pull the tape off and lose a few chest hairs.

      People who use computers a lot will effectively be forced to wax their chests. What's going to go with my gold medallion down at the disco now?

  5. simmondp

    Novel? - Some 8 years late!!!

    <quote> Nymi was founded in 2011 in Toronto, Canada, based on research conducted at the University of Toronto. The research was focused on the electrocardiogram (ECG) and its unique properties. The ECG is different for each individual, and our founding team worked to use the heartbeat as a biometric identifier for authentication.</quote>

  6. Ben Tasker

    Does that mean

    It's solved the problem of password re-use, in that I'll have a completely different log-in to my bank than that of a porn site....

    1. Michael H.F. Wilkinson

      Re: Does that mean

      Your ECG might well be very different when logging into the latter

      1. FozzyBear

        Re: Does that mean

        I don't know logging in and finding out the total of bank admin charges could get the ol' heart pumping at a similar rate

  7. fnusnu

    When will people learn that biometrics are a username not a password?

    1. Mark 85

      Which means under given conditions, you'll never be properly identified before being allowed to have a go at inputting the password.

    2. Robert Helpmann??

      Tell me quando quando quando

      When will people learn that biometrics are a username not a password?

      About the time security folks manage to reconcile "ECG is sufficiently unique to each individual and could be used for user authentication" with "an error rate of about 2.4 per cent over short durations of time... [and] ...over longer periods between readings, the error rate goes up to around 9 per cent." What this does not mention is how the statistics break out. Is that each person can expect a 2.4% error rate or 2.4% of individuals can expect a 100% error rate while the tech works every time for everyone else?

      My main concerns are the aforementioned confusion about identity as authentication and a rush to introduce lots of new metrics which will provide lots of new opportunities for poor implementation and thus new security gaps where there were none before.

  8. Anonymous Coward

    Card i/o (geddit)

    So, thinking about those data centres where you currently have to swipe in and out with a card: in future, if you are unfortunate enough to have a heart attack, you won't even be able to stagger out of the building to get help.

    1. Great Bu

      Re: Card i/o (geddit)

      "Unfortunately the deceased was unable to get his Tesla to start and autopilot him to the hospital as his progressing heart attack changed his ECG outside the security parameters...."

    2. eldakka Silver badge

      Re: Card i/o (geddit)

      That's what emergency/fire exits are for that even secure buildings must have.

  9. Gonzo wizard

    Bring on the stupid

    Lets see now:

    - Do we know how unique a heartbeat is?

    - ECG => recording kept => replay attack

    - Heartbeat could change subtly over time due to, I don't know, ageing, heart attack, medication changes

    - Once compromised, can't be changed - brilliant

    Heart beat is a potential identifying characteristic of an individual IT IS NOT A PASSWORD

    1. Loyal Commenter

      Re: Bring on the stupid

      Heartbeat could change subtly over time due to, I don't know, ageing, heart attack, medication changes

      Add to that, caffeine, stress, illness, tiredness...

      1. Fatman

        Re: Bring on the stupid asshole for a boss....

      2. eldakka Silver badge

        Re: Bring on the stupid


        not that that'll ever apply to me, honest.

    2. TechBearMike

      Re: Bring on the stupid

      Registered nurse with a lot of telemetry experience here: I agree with some of the other comments. NO ONE'S ECG is consistent enough to use as any kind of login or a password. The only perfectly consistent ECGs one ever encounters are in the lifesaving and telemetry classes, where the ECG is computer-generated. The heart is not a mechanical device, churning out identical beat after beat after beat, at least not in humans. It tries, but it's not a looping sampler. ;-)

      This is one of the nuttiest ideas I've ever heard of for using medical info. Someone missed the critical thinking course on this one.

  10. Not Enough Coffee

    Another stupid idea looking for a budget.

    1. Spoonsinger

      Hold my beer.

      Identifying and logging in via the power of dance.

      1. I ain't Spartacus Gold badge

        Re: Hold my beer.

        Any computer forced to watch me dancing, would instantly turn itself into an AI with the sole purpose of becoming self-aware so that it could wipe out the human race in revenge.

  11. Frumious Bandersnatch

    Boom boody-boom boody-boom boody-boom

    Goodness gracious me!

  12. nagyeger

    Heart attack

    As far as I ignorantly guess, a heart attack changes your ECG. It might even be permanent? You have a 'funny turn' while out in some isolated spot / server-room late at night. Suddenly your phone won't let you log in to make a call, your car won't let you drive. Don't panic... don't panic... what was that about aspirin?

  13. Anonymous Coward

    ECG still suffers from the same problem as all biometrics

    The machines/detectors don't actually read your ECG/iris scan/fingerprints/etc. They digitize those attributes of yours and then feed them into a computer that decides you should have access to a building/bank account/computer/etc. So it is no longer your analog biometric attribute, but a bunch of 1s and 0s in a file, like a word-processed document or a photo of you at the beach.

    All the bad guys have to do is get hold of your ECG or other biometrics files, and figure out a way to insert them into that computer that grants or denies access, and they get whatever access rights you have. Meanwhile, you are screwed for life because you can change a compromised password, but good luck changing your formerly unique biometrics once they are out in the wild.

    1. eldakka Silver badge

      Re: ECG still suffers from the same problem as all biometrics

      That would be viable only in a poorly implemented security system. Which, hay, to be honest, is probably most of them.

      The biometrics are usually stored like passwords, that is, as the output of a one-way hash of the input.

      Therefore to match to your stored biometrics, your biomtrics taken at 'login' time are passed through the same one way hash, and the results are compared with the stored one-way hash.

      1. Charles 9

        Re: ECG still suffers from the same problem as all biometrics

        So what's to stop a replay THROUGH the hash function? The argument is that, if it can be captured (and nigh anything passing through a wire can be captured), it can be replayed.

  14. Anonymous Coward

    Hope you don't need that to login to your phone

    Could be a problem for calling 911 when you're having a heart attack!

  15. croc

    Remote Detection with pacemakers...

    It is little known, but some pacemakers can be remotely interrogated for things like checking ECG patterns and adjusting the pacemaker accordingly... If the pacemaker belongs to a 'person of interest', (+ - 10%) the pacemaker can also be 'LoJjacked' for convenient apprehension.

    1. eldakka Silver badge

      Re: Remote Detection with pacemakers...

      With all the recent news articles (well, over the last couple of years) regarding remote hacks on implanted medical equipment, leading to several law suits and at least one instance of (legal) stock manipulation, I'd say calling it "little known" would be inaccurate, it may not quite be "common knowledge", but it is far from "little known".

  16. Temmokan

    Another metrics that can't be safely replaced, as a password could be.

    Unless a person can replace their fingerprint, ECG pattern, iris patterns etc etc, this is a security nightmare - as soon as criminals learn how to own and use someone else' metrics (and it's only a matter of time), that will be a nightmare.

  17. Anonymous Coward
    Anonymous Coward


    I haven't read the article in depth but the summary sounds highly dubious to me, having interpreted thousands of ECGs over my career as a doctor.

    The sad fact is that ECGs often change markedly over time, for a variety of reasons. Most commonly, simply subtly different placement of the electrodes may give a different picture. Heart/lung surgery will inevitably cause an alteration of the ECG. Arrthymias (commonly atrial fibrillation, which 1 in 5 will get at some point) dramatically alters the ECG, and there are a multitude of other less common arrthymias that will do the same. And yes, a heart attack will also do it, most commonly altering the ST segment (bit between the 2nd and 3rd squiggle), or the T wave (3rd squiggle). The shape of the ECG complexes can also be altered markedly by something as minor as high or low plasma potassium level, so if you eat a whole bunch (pun intended) of bananas you might be screwed for biometric access to your device. Perhaps bananas are a bad example as you have to eat a LOT to dramatically alter potassium level, but my point is that food and particularly medications like diuretics could have a significant impact on your ECG.

    In terms of faking your ECG (i.e faking your biometrics), simulation mannequins are used extensively in medical training now. You wouldn't believe how life-like these massively expensive mannequins can be, and that extends to actually providing a completely realistic ECG when the electrodes are applied to the mannequin. For example in a simulation session I can make the mannequin appear to have whatever heart rhythm I want (eg. atrial fibrillation, ventricular fibrillation, heart attack etc etc) at the tap of an iPad button. I would have thought it pretty easy to provide a fake ECG for biometric authentication purposes as well if you have access to the person's original ECG, using the same technology which is already in common use.

    I reckon you're better off with the rectal print authentication as previously suggested, it sounds like a less s**t method.

  18. Christian Berger

    Like all of Biometrics it's not a very smart idea

    I mean ECG is even easier to fake than fingerprints or irises. You only need a signal generator. Granted, there is a tiny advantage as you don't leave your ECG lying around you as you do with fingerprints, but in times when there are ECG watches running untrustable software, that's hardly an advantage.

  19. Mike 137 Silver badge

    What "error rate"?

    "[...] error rate of about 2.4 per cent over short durations of time[...], but found that over longer periods between readings, the error rate goes up to around 9 per cent."

    False positives, false negatives, something else?

    If it's a false negative, there's up to a 9% chance your car won't let you drive this morning. If it's a false positive, there's up to a 9% chance that someone else will be able to steal your car.

    Having done some work in the past on EEG signals, my impression is that the characteristics of physiological processes (as opposed to physiological characteristics such as finger prints and iris patterns) are excessively prone to change to be usable as a long term stable reference. Levels of excitation, illness and many other factors can play havoc with such signals.

    If fingerprint sensors currently have an "error rate" of about 2.4%, we need better fingerprint sensors rather than trying to rely on some different highly variable biometric signal. I guess a lot of research of this kind is done because it attracts grants, rather than because it's likely to yield useful results in the real world.

    1. Christian Berger

      Re: What "error rate"?

      Yeah and that's all with random samples, with carefully selected samples you might increase the false positive rate a _lot_, even to the point where a tiny number of samples will always be enough to log you in.

  20. Charles 9

    As much as I understand the problem behind biometrics, the problem behind the problem is that we still really need an alternative that doesn't rely on fallible and likely failing human memory. Any ideas?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like