Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

The fingerprints and smudges you leave on your phone screen while tapping and swiping away may contain an unseen chemical “password” that could one day be used to unlock those very same devices. A team of researchers at the University at Albany propose that smartphones, smartwatches and other mobile and wearable devices could authenticate users through the unique metabolites in their skin secretions. Jan Halámek, leading author of the team’s concept paper published in ChemPhysChem earlier this year, says the project is a “spinoff” from years of work on “noninvasive sensing from the skin surface.”

“The device will measure and learn the patterns of levels of certain metabolites on your skin. It means the device will know it’s you,” Halámek explained in an interview with Forensic Magazine. “And then, in case somebody will steal it from you, like me for example, and put it on my hand—my levels are different than yours. So the device will log out or disconnect, switch off—that’s the concept.”

The team is currently looking at 10 to 12 different detectable metabolites—products of the body’s various chemical reactions that are deposited in sweat and other skin secretions—that, in combination, could be used as a unique identifier from person to person. The researchers must consider each metabolite’s detectability and degree of fluctuation in determining which combination of metabolites will best serve this purpose.

“Some of them vary a lot. I will give you very simple example—glucose varies a lot,” Halámek said. “If you will drink a juice or eat an apple, your glucose will vary a lot. And so from this point of view, glucose is not a good metabolite. So we are looking on those which are suitable. That’s one of the challenges: to find a suitable metabolite.”

However, while some metabolites fluctuate too frequently to be used as an identifier, others change gradually, and a person’s device could adapt to this while making the system even more secure. Halámek explained that the system could require an initial enrollment period lasting a few days for the device to recognize baseline patterns of levels, and then require monthly re-enrollments that will help the device keep up with a person’s changes in lifestyle, health and age. This dynamic nature of the metabolites, and the fact that they are invisible and difficult to detect without special sensors, could make it extremely difficult for anyone—even a chemist like Halámek—to copy or spoof another person’s levels.

And because everyone is constantly producing their own unique chemical “password,” this authentication method could also be more convenient, Halámek says. Noninvasive skin sensing already has incredible potential is medical diagnostics, and Halámek and his colleagues believe its usefulness can extend to other parts of everyday life.

“Noninvasive sensing on the skin surface—that’s what we think is a kind of future here now, and the application is in front of us,” he said. “Everybody needs to have a pin and password, and you need to change the password, and people are forgetting the password—like me—and so this is what you can use it for.”

Halámek’s work on skin secretions has also contributed to the forensic field, showing that a person’s sex could be determined through chemical analysis of the secretions that make up latent fingerprints, as previously reported by Forensic Magazine.   

In a previous edition of Virtual Case Notes, I spoke to a researcher from Texas Tech University working on another unique form of biometric authentication, based on a person’s heartbeat waveform. You can read about the “cardiac password” project here: