

Ask HN: [Feedback Request] ECG Based Authentication - Alesis_Novik

Hey Guys,<p>Who: We are two ( http:&#x2F;&#x2F;sutas.eu ) ( http:&#x2F;&#x2F;alesisnovik.com ) Computer Science &amp; Electronics graduates from the University of Edinburgh.<p>What: We’re making an ECG (electrocardiogram - i.e. your heart signal) based authentication device. A first prototype will be a small USB-enabled device which you can stick on the back of your laptop&#x2F;desktop screen. It will have two touch sensors where you place your index fingers for authentication.<p>One can store a private key and your ECG template on the device. For example it could be used in: two factor auth; logging into your user&#x2F;OS; decrypting your HDD; filling master passwords...<p>Why: Passwords suck. We believe that because you’re already unique you should not be required to remember passwords or carry additional items with you. (plus it’s awesome!)<p>Progress: So far we&#x27;ve made proof-of-concept hardware (on a breadboard) and software library. We are able to successfully identify a set of 50 people with 98% accuracy.<p>Feedback: We’re looking for feedback on:<p>1) the idea (e.g. passwords are fine as they are)<p>2) proposed implementation (e.g. no one will want to stick something to their screen)<p>3) possible use cases (e.g. driver identification in a car)<p>4) would you use it? (we’re thinking of releasing dev kits soon)<p>5) how much would it be worth for you?<p>P.S. If you&#x27;re interested in a demo kit sign up https:&#x2F;&#x2F;docs.google.com&#x2F;forms&#x2F;d&#x2F;1imZBazwucEn0IpnH9TwBEERP4aUZ0fqVXbs31vEiOT8&#x2F;viewform and we will keep you posted.
======
subrat_rout
Seems like a brilliant idea. But few questions come to my mind.

1\. Are ECG pattern unique for a person? I believe if they are then they are
not as unique as fingerprint.

2\. I believe the ECG will change dramatically if a person have a panic attack
or abrupt mood changes(ex. under severe stress) or any heart condition
development. How do you control that ECG pattern and normalize it?

3\. How it will be better than just finger print based authentication? I mean
if you can develop a good biometrics based on fingerprint that should be
enough. Right?

4\. Of course it will have a potential to be used in medical devices where a
patient using medical device can use that to lock access to others for the
data privacy reason.

5\. I will be interested to use it but the price range should be around
$50-$60 range (However, it is my personal opinion).

Good luck guys.

~~~
Alesis_Novik
Thanks for the reply!

1) Research suggests that because of the way your heart is formed, the ECG
signal is as unique as your fingerprint, the only question is the ability to
extract the relevant information, which we achieve using the latest research.

2) Structural changes to the heart (e.g. heart attack) would change your ECG.
For this we would provide 1-time login codes so the person can update the
signature. For non-structural changes there are methods for signature
normalization (e.g.
[http://jrnlappliedresearch.com/articles/Vol6Iss4/hosmane.pdf](http://jrnlappliedresearch.com/articles/Vol6Iss4/hosmane.pdf))

3) Most of the fingerprint scanners require a repeated swiping motion, while
our method is passive. Good fingerprint scanners are also more expensive that
our projected price. Finally, it is a lot harder to spoof an ECG while you
leave your fingerprints everywhere you go.

4) Thanks for the suggestion! We will definitely look into that.

5) That is our target initial price. With scale, we will be able to do it even
cheaper.

------
DanBC
1) I agree passwords suck and they need to be replaced. I'm not sure that I
want to tie my identity using biometrics to every service that I use.

2) My thinkpad has a fingerprint sensor in the palmrest. That's a sub-optimal
location for your sensors?

3) expand from identity into pseudo-health. Sell it as a toy and avoid
(possibly illegally) the regulation, or get the certs and sell a quality
device for medical uses. Telecare is big.

4) I would use it if it worked across my Windows machine, my iPhone, my linux
machine.

5) I have zero money. It's probably worth the same as a Yubikey. (Yubikey is
almost perfect, but not quite.)

EDIT: I've just started taking Ramipril for blood pressure. Would that change
my ECG enough for the machine to not recognise me?

~~~
Alesis_Novik
Thanks for the reply!

1) A solution to this are token or password store based methods, that you
would never disclose your signature to the service provider.

2) The location for the electrode is fine, but until we can get the laptop
manufacturers to integrate the rest of the board, it would have to be
external.

3) That is actually one of the applications/selling points we are thinking
about. The initial run would be dev-kits, which avoids legislative issues.

4) Windows and Linux will definitely be supported. Unfortunately Apple/Mac
OS/iOS are too closed source for a straightforward integration. That being
said, I am sure we will find a way.

5) While the initial launch might not hit that price, with scale it is
definitely achievable.

6) While we are not sure about the effects of the specific medication you are
taking, research suggests that ECGs are invariant to non-structural changes.

------
atmosx
I like the idea. Please answer the questions asked by @subrat_rout

