Imagine unlocking devices, withdrawing money from an ATM, and even entering your building all without having to prove who you are. Now, imagine a world where everyone from your landlord to your bank and phone carrier know the size and shape of your heart. Using electrocardiography, researchers at the University of Buffalo have developed a cardiac scanning software that could turn your heart into such a key. And they have plans for the tech far beyond just unlocking your iPhone.
The “cardiac scan” prototype, described in a paper to be presented at MobiCom next month, uses doppler radar to make three cardiological measurements: heart rate (the frequency of your heartbeats), heart shape (the geometric shape of your heart) and finally, heart motion, the 3D movements of your heart as it beats. After scanning a heart for the first time—a process that takes about eight seconds—the paper’s authors claim the prototype achieved an equal error rate (a standard performance metric for biometric systems) of 4.42 percent when given to four cardiac cycles for recognition.
Similar to face recognition, the cardiac scanner compares the heart data of the user to information stored within the device. If it matches, the device then unlocks, without the user having to do anything else. According to Wenyao Xu, the study’s lead author and an assistant professor of Computer Science at the University of Buffalo, this system promises “continuous authentication,” meaning, once registered, users would ideally never have to log into their device again.
“Continuous and remote authentication is the dream of this community,” Xu told Gizmodo. “We really want to know who people are [up to] 500 meters away. The current convention is to use face detection or recognition, but this [cardiac scanning technology] is the first time to bring truly hard biometrics from the remote sensing perspective.”
Xu is already looking past Apple and Samsung’s much hyped face recognition software. As he notes, biometrics have been faked before: photographs can confuse face recognition software and 3D printers can outsmart fingerprint scanners. But, while the iPhone X can seemingly be unlocked by another user pointing your own phone at your face, cardiac scans are continuous and lock out users who don’t match the pre-registered heart data.
“If we talk with someone, then they know our face. If we touch something, then hand it over, then they get our fingerprints,” said Xu. “So, the fingerprint and the face are not secure. But, as for the heart and the heart shape: it is invisible, it’s more secure, and also has liveness detection technology.”
“If people don’t want to identify themselves, they can wear a scarf, hat or sunglasses to [hide] their identity,” he continued. “But with the heart scan, there’s no way to escape. Everyone is naked under this radar sensor.”
In its white paper explaining FaceID, Apple promises to restrict users’ face data only to their devices, only transferring them to Apple servers with their explicit permission. Xu wants these same limitations on stored heart data, plus restrictions on the scanning radar’s range.
This is crucial, given the research team’s next steps: a second, more robust study with over 5,000 subjects (the initial paper used 82 subjects) before shopping the tech to major vendors like Microsoft, Apple and commercial airports. Eventually, Xu envisions a post-password, post-login world of instantaneous authentication. That ideal world where unlocking phones, withdrawing cash, and checking into airports is all done without having to prove who you are. If you’re willing to give up that data, of course.
“One thing I can foresee once this technology is adopted is we don’t need the login screen anymore,” he says. “It could replace traditional security checks in airports [and] can be integrated into any system that has a keyboard.”
But the chief concern surrounding biometrics isn’t how the technology operates in isolation, it’s how it compounds with other technologies. Face recognition, for example, has been combined with predictive technology to extrapolate someone’s “likelihood” of committing a crime or whether they’re gay or straight. In 2016, Wal Mart filed patents to surreptitiously monitor customers’ heart rate as they shop to track customer satisfaction, basically monetizing their biometric data. Does this new approach take us down a dark path of invasive, ever-present biometric surveillance? Or have we already arrived?