Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Researchers Use Heart Rhythms for Continuous Authentication

Researchers Use Heart Rhythms for Continuous Passive Authentication

Researchers Use Heart Rhythms for Continuous Passive Authentication

Researchers from the University at Buffalo SUNY, and the Department of Electrical and Computer Engineering at Texas Tech University have proposed a novel new continuous user authentication method using cardiac motion (a heart-based function determined by users’ unique heart geometry). Their paper, ‘Cardiac Scan: A Non-Contact and Continuous Heart-Based User Authentication System’ (PDF), will be presented at MobiCom, Utah, October 16-20.

Unlike other methods of measuring cardiac motion, this method (called Cardiac Scan) functions without physical contact or intervention by the user. The intention is to be able to recognize a unique user based on a stored template, to know when that user is in front of the computer or other device, and know when that authorized user leaves the device. While present, the session is maintained; but as soon as the user is no longer present, the session can be closed (with precise details governed by corporate policy).

Cardiac Scan is being proposed as an alternative to and improvement on static authentication, whether that includes static biometrics (such as a fingerprint or iris scan) or is limited to passwords. The problem with static authentication — even multi-factor static authentication — is that it only happens at the beginning of a session. If the authenticated user walks or is taken away from the device, the authentication continues regardless of who is actually using the device.

Continuous authentication seeks to solve this problem by monitoring who is using the device for as long as it is used. For this to work, it also has to be non-intrusive; that is, passive or non-volitional (as described by the researchers). There is consequently much interest in new methods of continuous passive behavioral biometrics — that is, determining the user based on known habits such as keystroke patterns or gaze patterns. Notably, the U.S. Army Network Enterprise Technology Command (NETCOM) is deploying Plurilock’s BioTracker “continuous authentication cybersecurity software to protect the warfighter against adversarial identity compromise.”

To achieve their intention, the researchers have developed a sensing system based on smart DC-coupled continuous-wave radar. The result is a low-power and safe device. “We are living in a Wi-Fi surrounding environment every day, and the new system is as safe as those Wi-Fi devices,” said Wenyao Xu, PhD, the study’s lead author. “The reader is about 5 milliwatts, even less than 1 percent of the radiation from our smartphones.” 

The plan is to miniaturize the system so that it can be installed onto the corners of a computer keyboard, with the long-term aim of enabling it to be used on smartphones and at airport screening barricades. The latter, while theoretically possible, will create privacy issues since it will require cardiac motion templates retained for all travelers.

This then raises one of the primary criticisms against biometric methods of authentication: replay attacks following theft of the biometric samples. “Biometric data stored by a service provider is just as valuable a target as a database containing usernames and passwords,” points out David Emm, principal security researcher at Kaspersky Lab. “Any security breach resulting in leakage of this information is likely to have much more serious consequences than the theft of a password: after all, we can change a weak password, but we can’t change a compromised fingerprint, iris scan or in this case, the dimensions of our hearts.”

Advertisement. Scroll to continue reading.

He adds, however, that “if the biometric data is stored on the individual device as opposed to the cloud, then this minimizes the risks.” Apple’s new FaceID biometric for the Apple 10 and its existing TouchID fingerprint system do just that — but it is not clear whether this would be possible for the Cardiac Scan. Certainly, any use of the system at airport screening barricades would require external storage.

Of course, replay attacks are not limited to the use of stolen templates; the term also applies to spoofing the system, for example with photos to spoof face ID and iris scanners, and latex fingerprint copies to spoof fingerprint scanners. The researchers are not unaware of this problem, although it has to be said that copying and reusing someone’s cardiac geometry presents considerable technical difficulties. 

“One major risk of using biometrics is the danger that the biometric token can be intercepted and replayed by an unauthorized party,” say the authors. “Compared to visual-based still biometrics (face/fingerprint/iris), the cardiac signal is more complex and dynamic to fake or replicate. However, there is still a chance to compromise cardiac signal under some extreme scenarios… In cardiac motion sensing, attackers might also hack into the database and obtain cardiac motion patterns or engineer the same cardiac motion sensing device to extract a user’s cardiac signal.” The potential is for some form of heart pattern skimmer similar in concept to the ATM skimming devices already in use by criminals.

Nevertheless, the fact that the researchers are aware of the problem is reassuring. “This is a great direction to go,” commented Randy Potts, MD of information security for Real Time Resolutions, a national financial services company. “Finding the biological and behavioral characteristics that make us unique is going to get us to the point of secure continuous authentication. The researchers have a good handle on the concern I would have, replay attacks. The other underlying problem with all biometrics,” he told SecurityWeek, “is that you cannot change them. When the database used for matching gets compromised, users are not able to change their fingerprint — or heart motion, in this case. I hope these researchers continue and we as a security community can solve the challenges around securing biometric data.”

So far, the proposal looks promising. The researchers’ own tests, using 78 healthy users, achieved 98.61% balanced accuracy (BAC) and 4.42% equal error rate (EER). “Cardiac Scan can measure the unique cardiac motion of individuals with regard to the cardiac moving dynamics (speed, acceleration, etc.) and heartblood circulation functionality in individuals. The system is unobtrusive, difficult to counterfeit, and easy to use,” say the researchers. Furthermore, they add, “the cardiac motion biometric is robust against time change.”

Nevertheless, they know that more work is required. “Currently, our work focuses on healthy people. In the future, we plan to evaluate Cardiac Scan with people of cardiovascular diseases, such as cardiac arrhythmia or using a cardiac pacemaker.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...