iPhone X has face recognition but this heart-scan authentication goes one better

A heart-based authentication system keeps you logged in until you walk away from the device.

Apple has gone with facial recognition for the iPhone X, but researchers reckon their new cardiac-scan authentication system is even more resilient to spoofing attacks.

Researchers have developed a continuous user-authentication system that relies on the unique measure of the size and shape of a heart as it's beating.

Does Face ID make the iPhone X more secure? Depends who's asking

A brief lesson in threat models, and why you should care.

Read More

On a PC, rather than logging in with a password or pressing a finger to a reader, the system passively and continuously scans a user's heart and logs the individual out when he or she leaves the desk.

The Cardiac Scan authentication system, developed by researchers at the University at Buffalo, SUNY, and Texas Tech University, uses a Doppler radar to analyze a user's "cardiac motion", which is unique to each individual and measures the dimensions of the heart in its contracted and relaxed states.

As the researchers note, cardiac motion is harder to spoof than fingerprint or iris identifiers because it's only present in a person who is alive.

While it's yet to be seen whether anyone can dupe the iPhone X's Face ID, hackers tricked Samsung's Galaxy S8 iris-recognition system with a dummy eye. Hackers were also able to recreate fingerprints using high-resolution photos to beat Apple's Touch ID in the iPhone 5s.

"Cardiac scan measures the live cardiac motion, which depends on the cardiac muscle structure of the user, and therefore is impossible to completely mimic," write the researchers.

Though they admit that hackers could still hack a database storing these cardiac-motion patterns or build another cardiac-motion sensing device to extract a user's cardiac signal.

The other advantage Cardiac Scan has over iris and fingerprint scanners is cost, since the radar can be built with off-the-shelf components. Additionally, it can be used at a longer distance, lending itself to airport security checks.

According to Wenyao Xu, the study's lead author, the system is safe to use as the strength of the radar's signal is less than Wi-Fi.

The piloted study included 78 healthy subjects, and the group will evaluate it with people who have cardiovascular diseases, such as cardiac arrhythmia, or people using a pacemaker.

The researchers also tested the system and countermeasures for events that could accidentally log a person out, such as differences in cardiac motion caused by stress, and the varied position of the user's body, such as when making a call or drinking water. The group says they were able to reduce the effects of each disturbance.

Xu plans to shrink the system down for it to be installed on to the corners of a computer keyboard, and notes it could be used in smartphones, too.

Xu and fellow authors will present the research at the MobiCom conference next month in Utah.

Read more about biometric security