Ask HN: [Feedback Request] ECG Based Authentication

[Alesis_Novik]

Hey Guys,

Who: We are two ( http://sutas.eu ) ( http://alesisnovik.com ) Computer Science & Electronics graduates from the University of Edinburgh.

What: We’re making an ECG (electrocardiogram - i.e. your heart signal) based authentication device. A first prototype will be a small USB-enabled device which you can stick on the back of your laptop/desktop screen. It will have two touch sensors where you place your index fingers for authentication.

One can store a private key and your ECG template on the device. For example it could be used in: two factor auth; logging into your user/OS; decrypting your HDD; filling master passwords...

Why: Passwords suck. We believe that because you’re already unique you should not be required to remember passwords or carry additional items with you. (plus it’s awesome!)

Progress: So far we've made proof-of-concept hardware (on a breadboard) and software library. We are able to successfully identify a set of 50 people with 98% accuracy.

Feedback: We’re looking for feedback on:

1) the idea (e.g. passwords are fine as they are)

2) proposed implementation (e.g. no one will want to stick something to their screen)

3) possible use cases (e.g. driver identification in a car)

4) would you use it? (we’re thinking of releasing dev kits soon)

5) how much would it be worth for you?

P.S. If you're interested in a demo kit sign up https://docs.google.com/forms/d/1imZBazwucEn0IpnH9TwBEERP4aUZ0fqVXbs31vEiOT8/viewform and we will keep you posted.

[subrat_rout]

Seems like a brilliant idea. But few questions come to my mind.

1. Are ECG pattern unique for a person? I believe if they are then they are not as unique as fingerprint.

2. I believe the ECG will change dramatically if a person have a panic attack or abrupt mood changes(ex. under severe stress) or any heart condition development. How do you control that ECG pattern and normalize it?

3. How it will be better than just finger print based authentication? I mean if you can develop a good biometrics based on fingerprint that should be enough. Right?

4. Of course it will have a potential to be used in medical devices where a patient using medical device can use that to lock access to others for the data privacy reason.

5. I will be interested to use it but the price range should be around $50-$60 range (However, it is my personal opinion).

Good luck guys.

[Alesis_Novik]

Thanks for the reply!

1) Research suggests that because of the way your heart is formed, the ECG signal is as unique as your fingerprint, the only question is the ability to extract the relevant information, which we achieve using the latest research.

2) Structural changes to the heart (e.g. heart attack) would change your ECG. For this we would provide 1-time login codes so the person can update the signature. For non-structural changes there are methods for signature normalization (e.g. http://jrnlappliedresearch.com/articles/Vol6Iss4/hosmane.pdf)

3) Most of the fingerprint scanners require a repeated swiping motion, while our method is passive. Good fingerprint scanners are also more expensive that our projected price. Finally, it is a lot harder to spoof an ECG while you leave your fingerprints everywhere you go.

4) Thanks for the suggestion! We will definitely look into that.

5) That is our target initial price. With scale, we will be able to do it even cheaper.

[DanBC]

1) I agree passwords suck and they need to be replaced. I'm not sure that I want to tie my identity using biometrics to every service that I use.

2) My thinkpad has a fingerprint sensor in the palmrest. That's a sub-optimal location for your sensors?

3) expand from identity into pseudo-health. Sell it as a toy and avoid (possibly illegally) the regulation, or get the certs and sell a quality device for medical uses. Telecare is big.

4) I would use it if it worked across my Windows machine, my iPhone, my linux machine.

5) I have zero money. It's probably worth the same as a Yubikey. (Yubikey is almost perfect, but not quite.)

EDIT: I've just started taking Ramipril for blood pressure. Would that change my ECG enough for the machine to not recognise me?

[Alesis_Novik]

Thanks for the reply!

1) A solution to this are token or password store based methods, that you would never disclose your signature to the service provider.

2) The location for the electrode is fine, but until we can get the laptop manufacturers to integrate the rest of the board, it would have to be external.

3) That is actually one of the applications/selling points we are thinking about. The initial run would be dev-kits, which avoids legislative issues.

4) Windows and Linux will definitely be supported. Unfortunately Apple/Mac OS/iOS are too closed source for a straightforward integration. That being said, I am sure we will find a way.

5) While the initial launch might not hit that price, with scale it is definitely achievable.

6) While we are not sure about the effects of the specific medication you are taking, research suggests that ECGs are invariant to non-structural changes.

[atmosx]

I like the idea. Please answer the questions asked by @subrat_rout