Heartbeat as Biometric Password

There's research in using a heartbeat as a biometric password. No details in the article. My guess is that there isn't nearly enough entropy in the reproducible biometric, but I might be surprised. The article's suggestion to use it as a password for health records seems especially problematic. "I'm sorry, but we can't access the patient's health records because he's having a heart attack."

I wrote about this before here.

Posted on January 19, 2017 at 6:22 AM • 41 Comments

Comments

WmJanuary 19, 2017 6:55 AM

Heart arrhythmia (skipped beats) and heart palpitations (rapid beats) are not that uncommon and would probably ruin this method also. The method could have something to do with the electrical impulses and that might have enough spread to work. If fascist Obama were still around, such intrusive, personal data would begin to be required in your government health dossier.

Yousef SyedJanuary 19, 2017 7:11 AM

My main problem with all biometrics is the ability to copy them - they're being translated into a digital format for the computer to "recognise" them. If someone finds a way to get a copy of that biometric, there's no reason they can't use it.

I can change locks, I can change passwords; but I can't change my biometrics...

Clive RobinsonJanuary 19, 2017 7:33 AM

@ Bruce,

My guess is that there isn't nearly enough entropy in the reproducible biometric, but I might be surprised.

I'm not an expert but I know people who's proffession is getting information out of those squiggles on an ECG machine.

It turns out there is a very great deal we do not know about why the waveform is what it's "template" is and what all the very small changes means in terms of health.

In fact the latest gig for AI is going through hundreds of the traces and the medical history of the patients they belong to too get more information out[1] (if you are happy with kalma filters/estimators then welcome to step one on the ladder ;)

Yes there is a lot of information in those "analog" traces the question is "what belongs to you", "what belongs to your disease" poth physical and mental[2] and "what belongs to your lunch" etc and most importantly how you tell them appart.

If and only if you can reliably get out the "what belongs to you" and predict age and excercise related changes --of which there are a lot-- can you think about using it as a biometric. Then you have the fun of looking for sufficient "fingerprint information".

Like you I'm doubtful about finding anything close to a unique signal in all the other signals and digestive noise.

[1] http://www.bbc.com/news/health-38635871

[2] http://sciencebulletin.org/archives/9394.html

TrentJanuary 19, 2017 8:16 AM

"Yeah this year I'd really like to eat well and exercise more and take better care of myself but, you know, I'd get locked out of my accounts."

NinjaJanuary 19, 2017 8:24 AM

I'd guess that each heart has distinctive patterns that tend to repeat regardless of how fast they beat or if they have arrhythmia (the anomalies could repeat in patterns as well). Think of a cat's purring. I believe some people who love these animals have already noticed you can differentiate cats by their purring for instance and that regardless of if they are breathing faster or slower. The purr has a pattern. In any case this is a guess.

Still, as much as I don't think fingerprints should be used as password this biometric data, if confirmed, should not be used as well. I do think those unique patterns could be used as means to identify the user (user name maybe?) or PART of a security system with caveats (ie: a 3rd factor along with the password and an authenticator). Biometric data cannot be changed so once copied it would be catastrophic if used as the password.

Clive RobinsonJanuary 19, 2017 8:52 AM

@ Trent,

+1 :-)

Mind you I've a better one, my ill health is preventing me getting more excercise, due to now walking on sticks (they get caught up when you try running or swimming as for cycling... ;-)

Clive RobinsonJanuary 19, 2017 8:58 AM

@ Ninja,

Biometric data cannot be changed so once copied it would be catastrophic if used as the password.

Which is exactly the same reason it should not be used for,

I do think those unique patterns could be used as means to identify the user (user name maybe?)

Think of the disaster that is using a social security number as an ID...

Ulrich BocheJanuary 19, 2017 9:22 AM

And if your heartbeat data get compromised you'll need a heart transplant? Of course a more general problem with biometric data. The data need to be "salted" in a way so a new set of data can be created and used from the same finger/eye/heart/... after a compromise since it is rather difficult to replace the "device".

What about people with atrial fibrillations, they probably couldn't login while the condition persists (can be a day or more)? And what about pacemakers?

fredJanuary 19, 2017 9:23 AM

While it looks doubtful that the technique could be used to authenticate users, it might well prove useful to identify medical records that have been misidentified or misfiled. An anomalous entry could be used to call for inspection and validation that this really is patient E2937765's cardiogram.

TatütataJanuary 19, 2017 9:38 AM

Besides the possibility of replaying a previously recorded, there is the issue of having a
suitable trained operator to hookup the patient with half-a-dozen electrodes in the first place.

Implantable ECG spoofers/jammers anyone?

I couldn't easily locate the paper mentioned under the link "A Robust and Reusable ECG-based Authentication and Data Encryption Scheme for eHealth Systems" (i.e., in the first page of Gugl results), or by searching with the author's name, Zhanpeng Jin.

I couldn't find either patent publications under the researcher's name, or assigned to Binghamton Univ. or SUNY. I also tried under the co-author's names ( Linke Guo, Pei Huang and Borui Li), to no avail.

I did however come across interesting stuff.

Looking for "ecg biometr*" in Medline returns 11 results, half of which appear immediately relevant. (Many of these papers can be downloaded for free).

The same terms entered in IEEE Xplore yield 278 results.

And again, if you try those terms in the worldwide Espacenet patent database, you come up with 38 results, many of which with promising titles and abstracts. (US2016352727A1 filed by a company based near Ottawa looks interesting, but must they refer to human beings as being "assets" that need to be "managed"? And what kind of business is "Reticle Ventures Canada" actually involved in?)

(All results counts as of 19.1.2017).

Therefore, I conclude that this idea isn't exactly new, and already received quite a bit of interest.

So this layperson asks: WHAT'S THE DEAL? Where is the actual innovation, and why is it significant?

I'm getting annoyed by these countless marketing-type press releases put out by university, having be so often disappointed as soon as I begin to seriously look into them. For example, by examining patent application wrappers only to discover some pretty depressingly antique prior art, or to find out that the application was quietly dropped.

TedJanuary 19, 2017 10:11 AM

For the purpose of evaluating various biometric authentication systems, NIST released a "Strength of Function for Authenticators - Biometrics” (or SOFA-B) draft document for discussion.

The level of resources required to spoof various biometric authentication methods -- fingerprint, face, iris, and voice -- are reviewed in Table 1 “Spoof presentation attacks separated by levels based on time, expertise, and equipment.”

At level C, the source of a 'substituted' biometric characteristic is more resource intensive than at earlier levels. Such being that a spoofed characteristic for an iris scan at that level might be a ‘high quality photo in near IR,’ while for a voice scan it might be ‘multiple recordings of voice to train synthesizer.’

Though this is the opposite circumstance of someone needing access to care I suppose authentication must be considered from both angles.

https://www.nist.gov/itl/tig/strength-function-authenticators-biometrics

TomHJanuary 19, 2017 11:12 AM

Remember that fingerprints and DNA databanks only store a subset of the biometric and so provide false positive matches

Clive RobinsonJanuary 19, 2017 11:50 AM

@ TomH,

Remember that fingerprints and DNA databanks only store a subset of the biometric and so provide false positive matches.

In the case of fingerprints this "subset" was just a way to classify and catalog the cards. Much like the Dewey Decimal system is used to index books in a library. The analyst was supposed to then get the cards in the clasification subset and make a direct visual comparison.

As we now know the process was flawed as the clasification abd cataloging was subject to interpretation and error and thus cards could be in the wrong place. The actual comparison also suffered from the analysts confirmation bias.

As for DNA there have been and still are problems with the way that works but "don't shoot the golden goose" by mentioning it ;-)

David LeppikJanuary 19, 2017 12:33 PM

I find the paper's premise of using heartbeat patterns to secure medical records dubious. Having a heartbeat doesn't imply consent, nor is a heartbeat available when medical records are needed.

However, having just started using an Apple Watch, I can see how this could be useful as one biometric component that may help us get away from passwords.

When you put an Apple Watch on, it is locked until you enter a PIN. After that, it constantly measures your pulse; no pulse, and it locks. If I slide a piece of paper between my watch and my wrist, it locks immediately.

The watch can be used to access a credit card or automatically log into a nearby computer. So it would be valuable to have a biometric to augment the PIN.

Password-based security is currently the weak link in computer security. Any password with sufficient entropy is impossible for users to remember, especially given the vast number of places which need their own authentication.

In the physical world, we don't normally use passwords for security. We use a combination of biometric features, physical tokens, and social cues to establish that we're talking to the right person and not an imposter. That's where computer security needs to end up, but we're a long way from being there.

A watch that can vouch for a person's identity with 80% confidence, combined with facial recognition, voice recognition, etc., could ultimately provide better security than even a really good password. But you would need a toolchain that is trustworthy for the needs of all parties.

MikeAJanuary 19, 2017 1:35 PM

@David Leppik
---
But you would need a toolchain that is trustworthy for the needs of all parties.
---

That ship sailed at least a decade ago. Probably more.

Clive RobinsonJanuary 19, 2017 3:12 PM

@ David Leppik,

I can see how this could be useful as one biometric component that may help us get away from passwords.

@Wael and myself have just been discussing this on another thread.

The point of contention is that we can not get rid of passwords if society is to retain any semblance of freedom.

Put simply of the three factors of What you "Know, Are, Have" the legislature has OKed guard labour to force the "Are & Have" factors against your will. Thus you have no freedom of choice with those just pokice state compulsion. Only the What you Know factor gives you choice and the freedom that comes with it.

Thus we need to look at ways to expand the "Know" in ways that are easy for the average human mind but hard for the Guard Labour and their technical measures.

I've proposed temporal and geolocation in addition to a passphrase/word. That is you would need to be at a certain place at a certain time and enter the passphrase to generate the secret. Broadly passphrase, place and time are orthagonal, which limits the technical measures available to the guard labour.

Whilst passphrases are hard for humans remembering a time and place for most is trivial, thus playing to human strengths not weaknesses.

The hard part will be ensuring that the place and time can not be done in a virtual way by technical measures that might become available, and it is something I'm giving active thought to.

WaelJanuary 19, 2017 3:24 PM

@TomH,

Remember that fingerprints and DNA databanks only store a subset of the biometric and so provide false positive matches.

That's what they want you to believe. They store a set of supersets.

@Clive Robinson,

"don't shoot the golden goose"

That would be detrimental to the whole community! To pluck just one feather is rather risky.

using a heartbeat as a biometric password.

Passbeat© is more descriptive. However, as @Anura and @Dirk Praet mentioned in the linked thread, Biometrics are comparable to an ID, not a proof of an ID.

The ultimate biometric mechanism, in my opinion, is to hash the human-being by using a one way trap door function and spitting out the result. It's OTH, though: One Time Hash, very limited usages.

On a more serious note, brain waves have better prospects of acting as a BioPassWavePattern mechanism. Research in this area indicates that it possible to extract information of what the subject looks at. Future research predicts that we'll be able to view dreams of the subject under test.

The authenticating person will just think of the password or image, and the brain waves will be used for authentication. At least this mechanism is somewhat under control of the person. Heartbeat can only be controlled by a yoga master, so I hear. Implications are: NSA will have more job openings for yoga masters. These guys can login to anyone's account. Show them an EKG, and they'll mimic it in a "heartbeat". They may also hit two birds with one stone and hire a Yoga master proctologist.

trsm.mckayJanuary 19, 2017 4:00 PM

@David Leppik

I agree with thrust of your comment, my view on biometrics is that they can provide higher levels of authentication assurance. And a wearable device can even reduce the hassle factor by continuous monitoring (prior to this, the quality of the biometric authentication was directly proportional to the amount of hassle the user had to go through). I will point out headsets (like the Microsoft HoloLenses) can provide even higher levels of authentication (because they have cameras pointed at the eyes). Of course this tech also dramatically increases the chance of invasive privacy violations.

My comments from Bruce's last mention of heartbeat biometrics are still relevant: https://www.schneier.com/blog/archives/2015/08/heartbeat_as_a_.html#c6704027

@Clive

I sympathize with your goals. I am sure you have thought of, but you did not mention directly in your post: the normal password problem of entering passwords without being monitored is becoming much more serious in this coming age of ubiquitous video cameras. Ultimately I think we agree where the solution will come from, authentication through a fusion of different factors.

I thought I posted some comments a few years ago, like the discussion of why I dislike the 3-factors of authentication, but quick searches have not found them. Basically I think we should consider authentication on a per-transaction basis (with additional factors and higher accuracy required for more sensitive actions). The other discussion was the use of fusion, where the factors are not stand-alone, but combined to make the collective authentication stronger than the individual factors. Classic example is combining voice, facial recognition, and lip movement when reading back a random challenge. Another example might be a keypad with fingerprint recognition on each key, combined with finger-angle and character entry speed dynamics while entering the password.

None of this is perfect, or always appropriate, but by letting the user select from biometric (and other) factors that are appropriate for them, and the devices they are using, they are much more useful then some biometric skeptics think.

Clive RobinsonJanuary 19, 2017 4:06 PM

@ Wael,

The ultimate biometric mechanism, in my opinion, is to hash the human-being by using a one way trap door function and spitting out the result. It's OTH, though: One Time Hash, very limited usages.

How environmentally unfriendly...

As you probably know swine are considered unclean in many parts of the world, however few these days know why this is.

They will eat almost everything including human waste and each other. It has long been suspected that certain mobsters in the UK had farms in Essex where pork was raised so that getting rid of a body after a hit, was relativly simple.

The well known female artist Madonna was at one time married to a british film director who produced a couple of gangster movies where this was brought up. The senior villain said to a younger member that the only problem was that the pigs did not digest teeth, so you had to go through the muck when cleaning the stye to gather the teeth up...

So not just effective hashing but recycling as well :-S

WaelJanuary 19, 2017 4:46 PM

@Clive Robinson,

As you probably know swine are considered unclean in many parts of the world

I probably know. I also probably know they taste the closest to human flesh, so say cannibals. Their DNA is too close to the human DNA as well, hence they act as disease transport agents of deaseases that wouldn't directly infect humans otherwise, and...

so you had to go through the muck when cleaning the stye to gather the teeth up...

Now that's a dirty job!

So not just effective hashing but recycling as well

I wouldn't be surprised if this method has been used. Other methods include an acid tub or to bury the body in quicklime. I'm sure you're aware of a dozen more methods.

Clive RobinsonJanuary 19, 2017 4:50 PM

@ trsm.mckay,

I am sure you have thought of, but you did not mention directly in your post: the normal password problem of entering passwords without being monitored is becoming much more serious in this coming age of ubiquitous video cameras.

Yes a very long time ago, I christened them "end run attacks" and gave as an example a small CCTV mounted in the ceiling space to shoulder surf, when chatting to @Nick P.

Since then things have moved on and it's been found that the 5GHz WiFi signals when using multiple receive antennas will alow finger movment to be detected with better than 80% accuracy. Similarly a "spike mic" or equivalent attached to a desk will produce 95% or better key detection.

What I was envisioning was a device that had the generated "shared secret" in it and communicated via low power Phased Near Field Communications thus leveraging the MIMO secrecy advantages. The actual data would be fully encrypted by symmetric key encryption with key exchange by either PKcerts or Diffie-Hellmen. The device would have a combined fingerprint reader and fourway cursor button where not only did you have to swipe your fingerprint but then rock the reader to "enter a gesture" to move a cursor from a random point on a screen to one or more randomly placed numbers on the screen. Enter the movment to the right "PIN" number and the shared secret would be correctly sent. Enter it incorrectly and not only would a fake secret be sent the actuall secret inside the device would be erased.

To regenerate the secret within a short period you would have to go to the right place at the right time and enter a recovery PIN. If you did not then you would have to use an alternative method of regenerating the secret by using out of jurisdiction shared MofN secret holders. An idea that @Nick P and myself came up with quite some time ago when working out how to cross a border without having the decryption key for a FDE drive etc. The main idea behind it was that you had a way you could demonstrate to a judge that you did not nor could not know the secret.

There are still some wrinkles to think through, but it's getting there bit by bit.

Clive RobinsonJanuary 19, 2017 5:09 PM

@ Wael,

I'm sure you're aware of a dozen more methods

I was told a few years ago by someone who should know that the least suspicious way is to use enzime based "biological laundry powder and a little water"...

If you've ever got some on your fingers when doing the laundery, you might have noticed it makes the slippery. Apparently it's working away, not unlike costic soda and saponification of your fingers...

I did a little experiment with a lump of shin beef a zip-lock plastic bag and a cup of biological powder and a third of a cup of water. Yup it disolved the beef to a disgusting gloop way faster than I expected.

Dirk PraetJanuary 19, 2017 5:45 PM

@ Clive, @ Wael

They will eat almost everything including human waste and each other.

Which in itself (to me) is not that much of a problem. Their hosting a series of both lethal and non-lethal parasites is.

@ trsm.mckay

... by letting the user select from biometric (and other) factors that are appropriate for them, and the devices they are using, they are much more useful then some biometric skeptics think.

To put it in a very simple way: the password never was the problem. The userid was. Replacing that part by a suitable biometric is a step forward. Complement those two with some type of token, and you have a commercially viable, yet reasonably secure solution.

As to the usefulness of this particular type of biometric, I think @Trent pretty much nailed the problem.

George Scott HollingsworthJanuary 19, 2017 5:52 PM

@Clive Robinson

Think of the disaster that is using a social security number as an ID...

I believe the disaster is using a social security number as an authenticator or without an authenticator. A social security number is an ID. If we would just all realize SSNs must be authenticated then we can stop trying to treat them as secrets.

@all

The process we are discussing is Identification and Authentication (I&A). Identification and identifiers really do not need to be kept secret. Authenticators do need to be kept secret. When an authenticator can no longer function to authenticate an identity it is no longer any good. You must then establish a new authenticator. Biometrics do not meet this changeability requirement.

I view "what you are" is nothing more than your identity and not suitable to authenticate said identity. Much like trying to define a word while using the word in the definition.

There are many issues with I&A implementations. This thread has not even touched on the the proverbial tip, let alone the iceberg.

WaelJanuary 19, 2017 7:10 PM

@Anura,

I don't know why everyone scoffs at me when I tell them the problem is solved:

Don't pay attention to them! They're in denial.

Brain computer interface, with an implant that stores asymmetric keypairs

They sort of exist. Pretty fascinating technology. I'm interested in eye / (YouTube link) artificial retinas and optic nerve interfaces. Reading and staring at screens for extended hours came with a hidden cost[1]. Current (not future) research shows that images one looks at can be probed, and this is old news... One day the government will be able to spy not only on what you think, but also on your dreams! Perhaps that'll be a more humane form of torture, too: control their dreams and give them the worst form of nightmares...

The retina isn't just a light receptor; it's also a sophisticated DSP that encodes light into patterns before transmitting it to the optic nerve.

The day when we can have a (YouTube link) bionic super eye (look at the specs! Pretty good for the time), like Steve Austin, the Six million dollar man don't seem that far away. Let 'em scoff all they want.

Your key-pair implant isn't more complex than an artificial retina and optic nerve interface.

Any early adopters? I can rush it to be the first to the market.

Would you do it if it were available? I wouldn't mind to try a bionic eye or three.

[1] And he says what?

trsm.mckayJanuary 19, 2017 7:25 PM

@Dirk

Actually I don't think of biometrics as a good User Id replacement. This is because biometric data has variance (because humans change, and the biometric acquisition is less than perfect) which only gives a confidence range, and once you start comparing the confidence range against a large set of potential matches you are much more likely to have false positive matches (recall the issues with doing facial recognition at a public place to find targeted individuals, even 99% confidence match generates tons of false alarms). I think you can only get high assurance biometric authentications if you include some additional User Id factors.

My take on the value of biometrics: detecting the presence of a human -- ideally the specific human you are trying to authenticate (to some level of confidence); and in some cases as a "what you have" factor (e.g. using a particular phone to generate the biometrics).

Having mentioned data variance, I think you and @Trent are jumping to conclusions. The heart rate biometric I am familiar with was not particularly bothered by heart rate speed (e.g. aerobic exercise did not affect false positive or rejections rates much). But I suspect there are other medical conditions (like a heart attack) that would impact it, so I have some doubts about the hospital use cases mentioned in the research paper, would definitely like to see more data on that. I should not forget to be explicit, and point out the big problem of trying to use this, or any, biometric as a simple password replacement.


@Clive
I did a little experiment with a lump of shin beef a zip-lock plastic bag and a cup of biological powder and a third of a cup of water. Yup it disolved the beef to a disgusting gloop way faster than I expected.

LOL - because of course you did this type of experiment.

And while I am busy pointing out things that Clive knew, but did not happen to mention in this thread (yet), we are both assuming that your biometric acquisition devices can achieve a certain level of trust. Not that I really want expand on that right now, see some other thread for discussions on trusted devices :-)

ab praeceptisJanuary 19, 2017 8:16 PM

Just a sidenote (unrelated to biometric ...).

As I'm just at it I thought I'd share that with you. ssh, yet another smelly animal in the weirdo ssl zoo, shows how idiocy works:

You have a server and you want user bob to be able to scp only (but not to login). Easy, you think, just give bob nologin as shell? Nope, wrong, won't work.
You need to (install and) use yet another program, e.g. rssh.

And why is that so? Because ssh does *not* simply do scp. Rather it runs a shell to do it (which, of course, for most happens to be bash). Priceless. Reminds me of the man who said one shouldn't assume evil intention when blunt stupidity can explain it as well.

Unfortunately, there is a pattern, namely the ignorance and arrogance to just merrily add features and programs and algorithms and config settings rather than building tightly specified and rock solid blocks.

I'm waiting for them to introduce xml as config format. Oh and: Why can't we have a flash player in ssh?

Clive RobinsonJanuary 19, 2017 11:34 PM

@ George Scott Hollingsworth,

I believe the disaster is using a social security number as an authenticator or without an authenticator.

No you've missed the point about identifiers like the SSN, they are a unchangable thus a single point of failure, that unwarrantedly alows data to be aggregated.

The social reality is that people are not just a hunk of meat with a label attached. I know that Governments and their guard labour want to make it that way, but that alone should tell you it's a bad idea. Then the fact they want to make guard labour anonymous behind badges of rank should be ringing alarm bells in your ears. Whilst preventing you knowing the ID and full name of their other employees should be flashing red warning lights in your eyes.

Much as many people think otherwise, we don't interact with people but the roles people have.

Thus you are son/daughter to your parents, Mum/Dad to your children, cousin / aunt / uncle etc to your other relatives. Likewise you have different roles to the various people you work with / for and you have diffent roles with your bank / credit card company / health care insurer / doctor / etc.

Each role has an identity and each person has many roles that should not cross over. After all if you fall into dispute with a trades person who did what you consider shoddy work in your home you don't want them posting up your SSN and saying you were a trouble maker and having your employer see it and reminding you about the bringing into disrepute clause in your employment contract (this has actually happened in the past). Likewise if the senior officers in the company you work for make bad decisions and cost customers significantly you don't want their behaviour reflecting on other roles in your life.

The "role of roles" is something most people in the design side of the ICT industry do not seem to grok, which says a great deal about their limitations of perspective. This is especialy true of those that are responsible for general function devices and applications, where serial numbers, and configurations become faux identities. It's this nonsense that brings drone attacks down on innocent civilians.

In the TAO catalogue one of the most chilling statments was "Find Fix and Finish" because there was no "Identify" between Fix and Finish. The assumption behind FFF was that the token being sought was the person, when clearly it is not. If a terrorist uses a phone for a few days and sells it on that does not make the buyer the terrorist, in the same way buying a car should not make you liable for the previous owners parking fines etc.

There is a lot more to this messy aspect of roles that few care or want to think about, whilst others make lots of false assumptions about them that are positively harmfull.

Clive RobinsonJanuary 20, 2017 12:16 AM

@ trsm.mckay,

The heart rate biometric I am familiar with was not particularly bothered by heart rate speed (e.g. aerobic exercise did not affect false positive or rejections rates much).

Don't confuse "short term" and "long term" effects. You would not expect any short term change with excercise in any muscle in the body. That is if you could do ten arm curles with a 10Kg weight today before it started to hurt, you would expect that to be the same in an hours time when the arm has recovered. However if you started doing it every day, after a month you would expect a considerable increase, with lesser increases for each month there after. Even though the heart is "smooth muscle" and uses different nerve types (ie sodium gate is not TTX sensitive) you will see long term changes with a continued change in excercise behaviour.

As for,

LOL - because of course you did this type of experiment.

Yes I did, because I'm a great believer in "testing" because although people mostly tell you the truth, they usually do not tell you the whole truth, because they don't consciously know the whole truth, just their perspective. After all science is not realy about the general but the exceptional.

To give you an idea, we all know that wax melts into a liquid and returns to a solid when cooled. But how many know about what goes on in the transition or plastic stage?

Back many years ago when I was a preteen playing with the red wax that is found around Edam cheese and it taught me a very valuable lesson. Which quickly went on to me being able to make fake fingerprints just from what I had observed... There is probably no way I would have discovered that from just reading about wax melting, or being told by a science teacher... Theoretical science is fine but it's the experimental scientists that get to see the exceptions by which our knowledge of the universe moves forwards.

Which brings us to,

we are both assuming that your biometric acquisition devices can achieve a certain level of trust.

Actually no I'm assuming that they will fail, it's the how and how long it takes that is of interest to me so that timing and mitigation can reach a usable sweet spot.

The reason is from the "I think therefore I am" perspective. We as in our brains do not experience the world, it's the sensors of our distant nerve endings that do. If you can stimulate them in some other way or interface/interfere with the conduction path the the brain will see a false reality.

The same is true for computers, all they "see" is "information" it's the transducers that measure the world and convert it into information that the computer sees. Most attacking "technical measures" work by attacking the information or the information channel, not the transducer. Therefore I'm looking at ways to slow down the way any technical measures can be brought to bare on a token and how long etc it takes the attacker.

That is I'm trying to lock the intangible information into a tangible physical object that I know can be breached, the obly real question being "how and how long".

WaelJanuary 20, 2017 2:01 AM

@George Scott Hollingsworth,

There are many issues with I&A implementations. This thread has not even touched on the the proverbial tip, let alone the iceberg.

Name a thread that touched the iceberg on any technical subject.

Dirk PraetJanuary 20, 2017 4:45 AM

@ trsm.mckay

Actually I don't think of biometrics as a good User Id replacement. This is because biometric data has variance

Just to be clear on this: I only think of them as a valid userid replacement for as far as they are immutable. Those that are prone to high levels of variance in either short or long term introduce additional layers of complexity, false positives and false negatives, making them unsuitable for any type of commercially viable solution.

Ergo SumJanuary 20, 2017 5:53 AM

@Yousef Syed...

I can change locks, I can change passwords; but I can't change my biometrics...

The vulnerable authentication subsystem, be that local or remote, is mainly responsible for the erosion of confidence in password. I find it ironic/funny the type of advises dished out, if and when a user authentication database stolen. Things like use strong password, passphrases, change it frequently, etc. Like it would make a difference at the next time the passwords are stolen...

You are correct... When biometrics become main stream, it'll be a "speed bumps" for hackers to retool and major problem for people to deal with the result. There has been ample time for securing authentication subsystems that has not taken place as of yet. I don't foresee that this will happen anytime soon...

The legal ramification of biometric authentication has not been mentioned in this discussion, or I just didn't see it.

There had been number of legal cases in the US, where the judge ordered that the suspect unlock the fingerprint protected device. Some legal scholars agree that the Fifth Amendment does not provide protection for something physiological or biometric. Password on the other hand, what you know, it is protected by the fifth. At least for now...

Sancho_PJanuary 20, 2017 4:23 PM

Re: Authenticator

Probably there is no technical solution because it’s not a technical problem?
I think the problem with authentication goes back to the problem of trust.

Let’s assume Alice and Betty are twins.
Both claim to be Alice, and e.g. claim a particular banking account.
We’d have to decide ‘face to face’ who’s who.

Let’s see which options we have (here with @Clive Robinson’s listing):

1, Something you are (biometric).
2, Something you have (token).
3, Something you know (passphrase).
4, Some place you are (geo_loc).
5, Some time window (temporal).
6, Someone you know (verifier).

The first would be useful only if we have a trusted reference - and more …

For the second, a simple passport (kinda authenticated token) doesn’t help, because
both will claim to be the rightful owner of the “Alice” passport.

The “what you know” might be helpful but in reality it will fail, esp. with twins,
even security questions or challenge / response aren’t suitable here.

The geo-loc and temporal authenticator fail because both twins are here in front of us at the same time.
Btw., in case I’m going to fly from Madrid to Oslo I could inform the teller that my next log in will be from Oslo - but at an unexpected stopover in Paris I wouldn’t have access, and next day in Oslo my time window would be closed then (?).

Just the “someone you know”, a verifier, could tell us who is Alice -
but the trust problem is back as it shifts our burden of prove to someone else. Who is the verifier (is it mom?), is she right and does she tell us the truth?
[In case of a third party passphrase - snippet to access my account the trust in the snippet would not be an issue, but it would shift the burden to my authenticating and accessing that third party snippet, replay of it included]

All that said, only the biometrics would (several prerequisites aside) be a useful authenticator.
At the same time it renders our possibility (it’s not a right) to remain silent to null.

... However, the biometrics (think of a fast DNA sensor in place of today’s fingerprint sensor) prerequisites again are all about trust.
Trust in the reference, the methods and devices, and in the IT world it also means trust in processing and transmission.
Clearly a no go in our all lifetime.

I’m afraid we are damned to the “know” because we are humans.
And the “know” of a static passphrase is insecure.

Jen Gold StockholmJanuary 22, 2017 1:40 PM

@ WaeL

"The authenticating person will just think of the password or image, and the brain waves will be used for authentication. At least this mechanism is somewhat under control of the person. Heartbeat can only be controlled by a yoga master, "

Ken Wilbur doing the equivalent with his brainwaves

https://www.youtube.com/watch?v=LFFMtq5g8N4

WaelJanuary 22, 2017 2:47 PM

@Jen Gold Stockholm,

Ken Wilbur doing the equivalent with his brainwaves

He apparently did the equivalent of "resist password extraction". Interesting, but the engineer in me says I'll have to conduct the experiment with him to validate what he demonstrated. Not that I am doubting it, but just to vouch for the validity of the "test". I could also stop thinking for a second or three, no more.

Jen Gold SJanuary 22, 2017 8:22 PM

@ Wael

' He apparently did the equivalent of "resist password extraction" '


maybe he needs to be one-time hashed and salted into what Thoth calls Secret Sauce?

c'mon Ken, share the love around baby


WaelJanuary 22, 2017 8:57 PM

@Jen Gold S,

maybe he needs to be one-time hashed

He'll need to demonstrate that he can control the patterns first! He was only able to show a 00000000 pattern. This password is way too strong! It's only suitable for this sort of task.

Then he'll need to change his password, and show us he is able successfully login with the new password. You might find this Implicit Passwords relevant thread of interest...

WaelJanuary 22, 2017 9:19 PM

@Jen Gold S,

maybe he needs to be one-time hashed

Sorry, seems @r's ailment is highly contagious. I just got another Epiphany...

I forgot to mention that One Time Hash is reserved for 'Evil Doers'. That's how you make them Evil "Diders" :-)

HeartOfDarknessJanuary 27, 2017 3:02 PM

Every here is saying the right things. Not enough entropy. Any ECG certed tech (almost anyone in the hospital) can tell you that while your wave is regular, not necessarily unique. Timing the wave components is dubious. Cardio events can leave permanent reminders in your wave and a random murmur would jack up your access. Also consider how this would be measured... not with efficiency. Count the electrodes for a hyper accurate measurement. You would also have shave or wax your chest. Hairs screw up a reading. ECG is not as precise as people think, nor could an easy to use tool be deployed with any success; not without being hacked.

"I need you to take off your shirt before I give you access."
No.

"We couldn't retrieve your data because you drank a RedBull."
My bad.

You also have to pay for the electrode supplies. Mainlining such a system would be expensive as hell, and overrated. I'm not a fan of biometric security.

HeartOfDarknessJanuary 27, 2017 3:13 PM

Also, I forgot to mention the logic failure in the article, since I used to be certed in this:

"The ECG signal is one of the most important and common physiological parameters collected and analyzed to understand a patient's' health," said Jin

No, actually, it is not a common collection anymore. You have ER, heart patients, and infants with ECG collection. Permanent primary diagnostics are elsewhere. Most of the patients where time/money is wasted on an ECG have changing conditions. That would not be a primary candidate for ECG-based encryption. You would have to be predominantly healthy to use this, not a patient that required an ECG. This is a waste of brain. Somebody is trying to re-sell ECG or finish a thesis paper.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.