Heartbeat Biometrics (Bionym)
It is impossible to spoof a heartbeat: That's the claim of a new biometrics company that wants to use the signature of your heart pumping as personal identification. Is the idea quack science, or does it have promise? In this note, we examine Bionym's HeartID technology [link no longer available] and contrast to other biometric methods.
Bionym was founded as a spinoff from several research projects at the University of Toronto. Originally applied to battlefield medicine, Bionym's heartbeat detection technology uses electrocardiogram sensors to record heart rhythms. Like fingerprints, retinas, and palm print veins, no two heartbeats are the same and each have different characteristics.
Bionym describes HeartID technology as "a ground-breaking cardiac recognition system that can reliably recognize people from their ECG. The ECG can be captured from various points on the body, including the fingertips, making the system suitable to be embedded into a wide range of fixed and mobile devices."
Bionym does not have any end user products. Rather they are looking for OEM partners. The company is targeting access control vendors, since identity verification and access controls go hand-in-hand. While Bionym had no production examples of access control readers in the booth, the company claims that the material cost of adding the ECG technology to readers is less than $5 per device. We have no to evaluate this.
The company claims that authenticating heartbeats for readers, credentials, or portable electronics is low impact and high convenience: "The sensors can be positioned so that enrollment and authentication can be performed without the user having to perform any special task. They simply hold the device as they normally do, and the patented biometric recognition algorithm works seamlessly in the background to provide robust security and automatic personalization."
Additionally, they claim that it can be done even if the person is wearing gloves.
A few limitations / concerns are likely:
- The company says changes in heartbeat rate do not impact it. They showed that "tachycardia", or fast heart beat does not affect the signature of the beat, only the frequency. The company's website states "During physical or mental stress the heart rate increases. In this situation your cardiac rhythm contains more pulses than at rest. This provides HeartID with more information and will actually make identification more accurate."
- Like fingerprinting, users must make contact with reader and this can be inconveniencing. However, the developer claims that, unlike fingerprints, neither the cleanliness or conditions of the fingers will have any impact.
- The developer recommends re-recording the heartbeat template every 4 years. We have not heard of fingerprint developers with similar requirements.
Bionym's CEO suggested the technology could most easily be retrofitted into existing access applications through a change in credential. He suggested a yet-to-be design concept credential that would first require an authorized user to make valid through a heartbeat read, then could be used in normal proximity card fashion.
Fingerprint biometrics look to be the most likely competitor/alternative to this technology. While fingerprints are, by far, the most commonly used biometric in access control, they do suffer from some issues such as exclusions (worn fingerprints) or gummy bears (fingerprint), problems in cold weather and/or requiring removing of gloves.
We see potential for heartbeat biometrics but it will need to demonstrated that this can be done cost effectively and reliably, given the lack of track record for this approach.