User heartbeat-another potential biometric candidate
There has and always will be data of a sensitive and confidential nature throughout the business. This has and will continue to take different forms, including payroll data, intellectual property, credit card information, and other data not generally in the public’s view. To gain access to this, people will continue to need to be authenticated and validated. This acts as the gatekeeper for access to this.
This appears to be a simple enough use of the function. This is however being complicated by the vast amount of confidential and sensitive data being created daily. This increase is due to the number of businesses operating, but also the increase in data deemed as confidential. There are new state and federal regulations and statutes requiring this data to be secured. To not secure this may incur fines and other legal issues, which would be a detriment to the business.
To secure this requires time, effort, and energy. The resulting tool to accomplish this task needs to be useful. The chosen tool has to be workable within the environment to complete the authentication process. There may be a tool available with a false positive rate of 0.00000005%, however if it overly security focused and not workable with the staff, the implementation will be an issue. This leads to the second point of this needs to be simple. If the tool is well overly complicated to put into place and use, there would be the opportunity for the implementation to break-down. The last point is the solution needs to be cost-effective. If the solution, while perfect, is overly priced, senior management is not likely to approve this.
One of the options for this issue is using a person’s electrocardiograph (ECG). This could be used to encrypt and decrypt data. The ECG functions to measure the user’s heart electrical activity and would be used as the key, and also as a password.
This is a bit of an usual, but provides a viable option. The person’s ECG is a well known measurement. The ECG is widely used and measured in the medical setting. This test is not new to the medical establishment or industry. This is generally used to analyze the person’s health status. The measurements are read by medical professionals to gauge the patient’s health. The cost for this is not significant. These tests are widely done across the planet, and are easily done by the respective personnel. This measurement has been proven to be a stable recording for each person.
As noted, this is a stable measurement for the person. With this solution, there are fewer computational resources used. As these tests are completed so frequently, the ECG itself has been relegated to a simple process that is easily done.
The encryption and decryption functions, while theoretically not overly taxing, may produce a lag time the users initially would notice. There are the home computers and servers however that are well capable of completing the desk.
This also simplifies the process in that there are no passwords for the user to forget, the IT Help Desk does not have to reset these, and there is the ease of use for the user.
This does appear to be the near perfect scenario. The user simply has to show up and be living to decrypt data and other functions associated with security. Although this is viable from the initial review, there are still issues to resolve.
The ECG is a stable measurement. The issue is not with the tool recording the measurement. The potential issue is the source of the measurement. The user, as a person, may not exhibit a stable heartbeat over time. There are changes over the long-term due to the person’s age, any illness affecting their cardiac system, or injury. In the short term, the user may drink, for example, too much caffeine, which may affect their heart.
Also, in the case where the patient passes on, there would be rather immediate issues for the business. The sensors could not be placed on the body and hope to retrieve the data. The data is encrypted. Based on the protocol used, this could be encrypted for several lifetimes worth of guessing what the key is (brute force attack).
Also, attackers are looking to exfiltrate data to be sold on the darkweb. One of these data sets may be the ECG, which is used as the key. The primary issue with this is the user is not able to alter, modify, or update their heart or the readings recorded from this organ as it naturally works. A password is able to be changed, which makes this option a bit more flexible. This has happened in the near past with certain government agencies, as the agencies were compromised. The government employee’s fingerprints, and other biometric measures were liberated. Imagine you being the government employee, and receiving the letter or email expressing the apology that your biometric data, e.g. fingerprint, had been compromised. As this is sold as part of a batch several times across the globe, the potential for significant issues increase significantly.
The enterprise is always looking for better methods to encrypt data in order to protect it. The need for this security is weighed against the user’s need for ease of use and flexibility. In the present environment, having a static view on this point is problematic at best. One method to resolve the issue is utilizing biometrics for the key for encryption. This is a great idea, however there are issues involved with this. In time, possibly this will change.
Binghamton University. (2017). Heartbeat could be used as password to access electronic health records: Researchers use heart’s electrical pattern as encryption key for electronic records. Retrieved from www.sciencedaily.com/released/2017/01/170118125240.htm
Cimpanu, C. (2017, January 22). Your heartbeat as a password-Smart or stupid. Retrieved from https://www.bleepingcomputer.com/news/security/your-heartbeat-as-a-password-smart-or-stupid/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.