Changzhi Li's "cardiac password” project will examine using the wave of the heart motion as an added method of continuous authentication.
One of the unique features for the upcoming iPhone X is facial recognition security, where users can simply unlock their phones by holding it up to their face and allowing the phone's security measures to identify the correct user.
It's just the evolution of security for phones and, in general, for technology that holds sensitive or confidential material. From a passcode or password to thumbprint recognition to retina scans, experts have developed some of the most intricate means of cybersecurity authentication.
However, it seems just as soon as new means of authentication are developed and put into use, hackers find a way around them, from hacking passwords to faking fingerprints to fool biometric security systems. As soon as one wall is erected, someone else blows it up.
"Computer systems may require me to log in information every certain number of minutes or may require some kind of biometrics where I have to use my fingerprints every few minutes or, if we exaggerate, every few seconds,” said Changzhi Li, a researcher in the Department of Electrical and Computer Engineering at Texas Tech University. "But this is not convenient. So the usability is very low and also, itself, has some security threats inside. Even if it asks every minute or two minutes, someone could still come in and use the computer when the user temporarily leaves the computer.”
So is there some method of authentication that can't be hacked, that can't be fooled and is most convenient to the user?
The answer may lie within the human body. Li is trying to get to the heart of the matter – quite literally.
Li is working to develop a method of continuous authentication utilizing the waveform of the human heartbeat to ensure the security of sensitive information on a computer. A cardiac password, if you will.
Li's project is backed by a $205,418 grant from the National Science Foundation (NSF) to develop high-sensitivity detectors to determine the uniqueness of a person's heartbeat waveform and, if that is feasible, to perfect the reliability, performance, accuracy and security of this type of continuous authentication. The project is a collaborative effort between Li and Wenyao Xu in the Computer Science and Engineering Department at the University of Buffalo.
"What we are trying to do is sending out a radio frequency wave to track the user,” Li said. "For example, you sit here with the computer, and the computer sends out a radio frequency signal toward the body and checks out the waveform of your heartbeat. We are trying to argue that, for everybody, there is a characteristic cardiac waveform.”
The heart attacks back
It is that waveform that is the key. In Li's project, a computer would send out a radio signal and record data similar to an electro cardiogram (ECG), the theory being that each person's heart waveform has a unique signature that the computer could identify and would make it difficult for anyone else to duplicate to gain unauthorized access to information.
By recognizing the user's heart waveform, it provides a level of continuous authentication to ensure the security of sensitive or classified information on a computer, from a student's grades to government documents. And the best thing, Li said, is that it does not require any additional actions from the computer user.
"We are trying to provide a solution that does not require the user to cooperate,” Li said. "This system does not ask people questions or require us to do anything like type in a password or do a finger scan or face scan. You just do whatever you want to inside your office, and the system sends out a signal to check out your cardiac waveform without letting you know it is doing it.”
While the project has tremendous potential in theory, there are still several hurdles to overcome before it can become a reality.
The first step in Li's project is developing the motion-sensing device. Li said he has conducted past research projects that involve developing motion sensing devices for structures that could, for example, determine the vibration of a bridge. And even devices today could sense how fast a heart beats just by measuring the movement of the chest wall or respiration.
But this project requires motion sensing to go further, deeper and to its most sensitive levels to determine human heart waveform. There's also the consideration of safety so that the measuring devices are not detrimental to human health.
"The signal power sent out by our technology is more than 1,000 times weaker than the single power of a cell phone,” Li said. "So we think it will be pretty safe. Imagine our technology as a smart radar. The police use a radar to measure how fast a car is moving. We use this technology to monitor how fast the heart is pumping, but more precisely, we can check out what the waveform of the movement and how that movement changes over time.”
A weaker signal strength also provides an added measure of security. Because the user has to be in close proximity to the computer for the radio signal to pick up the heart waveform, the computer would, in theory, lock down when the user moves away or leaves the office.
The technology will also have to allow for changes to a person over time as the signal could change due to factor such as heart disease, adding a pacemaker or other changes due to aging.
Li said the first year of the project will be spent building the high-sensitivity devices, what he calls the hardware side of the research. Once that is developed, researchers will work on fine tuning the signal processing to increase the intelligence of the system, determining its feasibility.
"What we're hoping is after three years, we will know the feasibility and, if it is feasible, we will know the accuracy and reliability,” Li said. "After three years, perhaps, we will think about how to move further, for example, into commercialization. But I believe that will be after three years.”
Given how industrious cyber hackers are these days, the sooner the better. And it could eventually move into other areas, such as another method of hands-free cellphone operation while driving, allowing drivers to use features such as GPS without having to log out and back into the phone.
"That is a very simple example in daily life,” Li said. "But for serious work, it is important to figure out how to protect the privacy of students and how to make sure nobody is messing with our grading forms and changing the grades without permission of the instructor.
"It really comes down to two questions – how can you really authenticate, and how can you perform continuous authentication?”