Changzhi Li of Texas Tech University is developing hardware that can sense a person's unique heartbeat waveform, and researching ways to potentially use such waveforms as a biometric identifier for enhanced cybersecurity. (Photos: Courtesy of Texas Tech University)

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Biometric authentication makes hacking into a phone or computer harder than just guessing or stealing a password—recent technologies such as fingerprint sensors and voice recognition software have been implemented in a variety of devices to ensure that the person accessing the device is the person it belongs to.

But even traits as unique as a person’s fingerprint, voice—or even their face—can be stolen and spoofed in attempts to bypass these biometric protections. In the age of social media, many are making their faces, voices—and yes, even their fingerprints—publicly available through photos and videos of themselves; but what if there was a biometric identifier that was not as easily accessible, something more private and deeply hidden, but yet could let someone unlock their device without even having to move?

Researcher and associate professor of electrical engineering Changzhi Li of Texas Tech University envisions such a form of passive and “continuous authentication” with his “cardiac password” project, an ongoing research effort to develop sensors that could authenticate a user with only the unique waveform of their heartbeat. Li recently received a $205,418 grant from the National Science Foundation (NSF) to study heartbeat detection as a secure, reliable and convenient method of biometric authentication, and develop a device that can not only read the waveforms and differentiate between different people, but be trained to adapt to a variety of different situations, such as when a person is exercising.

Li told Forensic Magazine that the idea for the cardiac password project came out of over a decade of previous research detecting and measuring the human heartbeat.

“We have been measuring how fast (the heart beats), mainly focused on the frequency of heartbeat. But recently we started to look at the waveform of a heartbeat, and we noticed that it is possible to differentiate people with the waveform of their heartbeat,” Li said.

Li and his colleague Wenyao Xu from the University of Buffalo believe they can create a type of radar by emitting radio waves to detect and record a person’s unique cardiac waveform, collecting data similar to that collected by an electrocardiogram, or ECG. The data used for authentication is not simply the person’s pulse, or BPM, but a unique signature created by the heart that is undetectable by the naked eye and ear. 

Changzhi Li of Texas Tech University is developing hardware that can sense a person's unique heartbeat waveform, and researching ways to potentially use such waveforms as a biometric identifier for enhanced cybersecurity. (Photo: Courtesy of Texas Tech University)

Because the heart, unlike the fingers and the face, is inside the body, and most people aren’t posting their ECG waveforms on social media, it certainly seems possible that heartbeat waveforms could be a more secure and less “hackable” biometric—but Li and his colleague still anticipate challenges and are still in the process of determining how secure the system is and how it can be made as “spoof-proof” as possible.

“Whenever there’s a new technology, people always find out the breach. What we are trying to do is to provide something that is robust enough so that it’s going to be very difficult for other people to really break through,” Li said. “So for example, one scenario is—when I am at a public place, somebody else may also use a device to secretly pick up my heartbeat waveform and they may go back and make a phantom to mimic this kind of waveform. However, on the other side, mimicking a heartbeat waveform is not that easy, so really our question is—how difficult is it to replicate a reliable waveform? And this is actually part of our research within the next three years.”

Li predicts the first year to year and a half of the three-year project will be spent developing hardware that is sensitive enough to pick up the faint waveform signal yet still able to filter out various background noise, including other body motions. After that, the researchers will begin to develop the software to process and differentiate between signals, and tackle additional challenges such as how the device will adapt to changes in a person’s heartbeat due to physical activity, aging or medical conditions. Li described that, like fingerprint sensors that require the user to touch the sensor multiple times, and Apple’s new Face ID that requires you to look at the device from multiple angles, the heartbeat sensor will need to be “trained” to identify the user by recording their waveform at varying levels of physical activity.

In addition to potentially being more secure, Li envisions that the cardiac password authentication system will also be much more convenient, allowing the user’s device to remain unlocked as long as it is close enough to sense the user’s heartbeat, only locking when they are away from it. Users won’t need to lift a finger to unlock their device—all it requires is that they are nearby and clinically alive.

“It could be too ambitious, but I think there is a possibility that one day our smartphone (…) will no longer need that face recognition or fingerprint,” Li said. “Smartphones and computers—those devices (will) check out your heartbeat waveform and give continuous authentication instead of just one time unlocking at the beginning when you use it.”