pith. sign in

arxiv: 1906.09181 · v1 · pith:YIUZCFHYnew · submitted 2019-06-21 · 💻 cs.CR · cs.SY· eess.SY

A Key to Your Heart: Biometric Authentication Based on ECG Signals

Nikita Samarin , Donald Sannella This is my paper

Pith reviewed 2026-05-25 18:54 UTC · model grok-4.3

classification 💻 cs.CR cs.SYeess.SY
keywords ECG biometricconsumer-grade monitoruser authenticationelectrocardiogrambiometric authenticationerror ratesheart signals
0
0 comments X

The pith

ECG signals from consumer-grade monitors can authenticate users with 2.4% error in one session and 9.7% across sessions four months apart.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests ECG signals as a biometric by collecting heart electrical activity from 55 people using an affordable consumer monitor. Data was gathered in two sessions separated by four months to check stability over time. A standard classifier produced error rates of 2.4% when matching data from the same session and 9.7% when matching data from different sessions. These numbers indicate that ECG patterns remain distinctive enough for authentication even without medical equipment. The work shows a path toward using a naturally occurring body signal for login that is difficult to replicate.

Core claim

The paper establishes that ECG signals collected using a consumer-grade monitor can be successfully used for user authentication, as shown by error rates of 2.4% for data collected within one session and 9.7% for data collected across two sessions separated by four months in experiments with 55 participants.

What carries the argument

A standard classifier trained on features from ECG signals recorded by a consumer-grade monitor, evaluated on both same-session and cross-session data.

If this is right

  • Authentication systems could adopt consumer ECG monitors as a practical biometric option without requiring medical hardware.
  • ECG patterns collected months apart still support usable matching for login purposes.
  • Biometric methods gain an additional signal source that is always available from the body.
  • Security applications become feasible on lower-cost devices that include basic heart monitoring.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Wearable devices already equipped with heart sensors could add ECG authentication as a feature.
  • Error rates might drop further if ECG data is combined with other biometrics in the same device.
  • Storing ECG templates for authentication raises questions about long-term privacy of health-related signals.
  • Testing over periods longer than four months would reveal whether the patterns remain stable for years.

Load-bearing premise

The 55-participant dataset and standard classifier evaluation protocol adequately capture real-world variability and avoid overfitting or selection effects that would inflate reported performance.

What would settle it

A follow-up experiment with hundreds of participants in everyday conditions that yields error rates well above 10% would show the reported performance does not hold.

Figures

Figures reproduced from arXiv: 1906.09181 by Donald Sannella, Nikita Samarin.

Figure 2
Figure 2. Figure 2: ECG variation among 8 individuals. Template Classification. In order to match biometric tem￾plates with the provided identity, we experimented with several machine learning algorithms, including logistic re￾gression, k-nearest neighbors, and support vector machines (SVM). We chose SVM as our final model and performed 5-fold cross-validation to select the hyperparameters for the model using 80% of data as t… view at source ↗
Figure 1
Figure 1. Figure 1: ECG monitor connected to the smartphone applica [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: Peak detection using a threshold based on the running mean. [PITH_FULL_IMAGE:figures/full_fig_p004_3.png] view at source ↗
read the original abstract

In recent years, there has been a shift of interest towards the field of biometric authentication, which proves the identity of the user using their biological characteristics. We explore a novel biometric based on the electrical activity of the human heart in the form of electrocardiogram (ECG) signals. In order to explore the stability of ECG as a biometric, we collect data from 55 participants over two sessions with a period of 4 months in between. We also use a consumer-grade ECG monitor that is more affordable and usable than a medical-grade counterpart. Using a standard approach to evaluate our classifier, we obtain error rates of 2.4% for data collected within one session and 9.7% for data collected across two sessions. The experimental results suggest that ECG signals collected using a consumer-grade monitor can be successfully used for user authentication.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that ECG signals from a consumer-grade monitor can serve as a biometric for user authentication. It reports an experiment collecting data from 55 participants across two sessions separated by four months, achieving 2.4% error within a session and 9.7% error across sessions via a standard classifier evaluation, and concludes that the approach is viable.

Significance. If the inter-session result is shown to arise from a fully subject-independent and session-stratified protocol without data leakage, the work would provide useful evidence that affordable ECG hardware can support temporally stable biometrics, addressing a practical gap between medical-grade and consumer devices in authentication research.

major comments (2)
  1. [Evaluation Protocol] The manuscript refers to a 'standard approach' for classifier evaluation but provides no explicit description of the train/test partitioning for the inter-session case. It is therefore impossible to verify whether the 9.7% figure was obtained with a subject-disjoint, session-stratified split (training only on session-1 data and testing on session-2 data) or whether feature extraction or hyper-parameter selection had access to both sessions.
  2. [Methods] The central claim that the 9.7% inter-session error demonstrates usable biometric stability rests on the assumption that session-specific artifacts were not exploited. Without a description of how signals were pre-processed, how features were selected, and whether any cross-session information was used during model development, this assumption cannot be assessed.
minor comments (2)
  1. [Abstract] The abstract and results section should state the exact consumer-grade device model, sampling rate, and any signal-quality rejection criteria applied before classification.
  2. [Results] Reproducibility would be aided by reporting the precise feature set and classifier type rather than the generic phrase 'standard approach'.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their thorough review and valuable comments on our manuscript. We address each of the major comments point by point below, providing clarifications and indicating the revisions we will make to improve the description of our evaluation protocol and methods.

read point-by-point responses

  1. Referee: [Evaluation Protocol] The manuscript refers to a 'standard approach' for classifier evaluation but provides no explicit description of the train/test partitioning for the inter-session case. It is therefore impossible to verify whether the 9.7% figure was obtained with a subject-disjoint, session-stratified split (training only on session-1 data and testing on session-2 data) or whether feature extraction or hyper-parameter selection had access to both sessions.

    Authors: We acknowledge that the manuscript lacks an explicit description of the train/test partitioning, which is necessary for verification. The inter-session evaluation was conducted using a subject-disjoint and session-stratified split, with the model trained solely on data from session 1 and tested on data from session 2. No data from session 2 was used in training, feature extraction, or hyperparameter selection. We will revise the manuscript to include a detailed description of this protocol in the evaluation section. revision: yes

  2. Referee: [Methods] The central claim that the 9.7% inter-session error demonstrates usable biometric stability rests on the assumption that session-specific artifacts were not exploited. Without a description of how signals were pre-processed, how features were selected, and whether any cross-session information was used during model development, this assumption cannot be assessed.

    Authors: We agree that more details on the methods are required to substantiate the claim. The preprocessing involved standard filtering techniques applied independently to each session's data, and features were selected based on training data only. No cross-session information was utilized during model development. We will expand the Methods section to provide a comprehensive description of the signal preprocessing, feature selection process, and model training procedure. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical performance report with no derivation chain

full rationale

The paper presents an empirical study: data collection from 55 participants across two sessions using a consumer-grade ECG device, followed by standard classifier training and evaluation to report error rates (2.4% intra-session, 9.7% inter-session). No mathematical derivation, first-principles prediction, uniqueness theorem, or ansatz is claimed or used. The central result is a direct measurement of classifier performance on the collected data under the described protocol; it does not reduce to any fitted parameter or self-citation by construction. This is a standard empirical evaluation and therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Only the abstract is available, so the ledger is necessarily incomplete. No explicit free parameters, axioms, or invented entities are identifiable from the provided text.

pith-pipeline@v0.9.0 · 5672 in / 987 out tokens · 27366 ms · 2026-05-25T18:54:03.329729+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

33 extracted references · 33 canonical work pages

  1. [1]

    Making passwords secure and usable

    Anne Adams, Martina Angela Sasse, and Peter Lunt. Making passwords secure and usable. In People and Computers XII, pages 1–19. Springer, 1997

    work page 1997

  2. [2]

    AliveCor KardiaMobile

    AliveCor. AliveCor KardiaMobile. https://store. alivecor.com/products/kardiamobile, 2019. Ac- cessed: 2019-05-31. 2Authors do not provide EER, thus HTER is presented instead

    work page 2019

  3. [3]

    J. S. Arteaga-Falconi, H. Al Osman, and A. El Saddik. ECG authentication for mobile devices. IEEE Transac- tions on Instrumentation and Measurement, 65(3):591– 600, March 2016

    work page 2016

  4. [4]

    L. Biel, O. Pettersson, L. Philipson, and P. Wide. ECG analysis: a new approach in human identification. IEEE Transactions on Instrumentation and Measurement , 50(3):808–812, Jun 2001

    work page 2001

  5. [5]

    The quest to replace passwords: A framework for comparative evaluation of web authenti- cation schemes

    Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and Frank Stajano. The quest to replace passwords: A framework for comparative evaluation of web authenti- cation schemes. In 2012 IEEE Symposium on Security and Privacy, pages 553–567. IEEE, 2012

    work page 2012

  6. [6]

    Evaluating template uniqueness in ECG biometrics

    Carlos Carreiras, André Lourenço, Hugo Silva, Ana Fred, and Rui Ferreira. Evaluating template uniqueness in ECG biometrics. In Joaquim Filipe, Oleg Gusikhin, Kurosh Madani, and Jurek Sasiadek, editors,Informatics in Control, Automation and Robotics, pages 111–123, Cham, 2016. Springer International Publishing

    work page 2016

  7. [7]

    David Pereira Coutinho, Ana L. N. Fred, and Mário A. T. Figueiredo. ECG-based continuous authentication system using adaptive string matching. InBIOSIGNALS, 2011

    work page 2011

  8. [8]

    H. P. da Silva, A. Fred, A. Lourenço, and A. K. Jain. Finger ECG signal for user authentication: Usability and performance. In 2013 IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems (BTAS), pages 1–8, Sept 2013

    work page 2013

  9. [9]

    The tangled web of pass- word reuse

    Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. The tangled web of pass- word reuse. In NDSS, volume 14, pages 23–26, 2014

    work page 2014

  10. [10]

    Rasmussen, Vincent Lenders, and Ivan Martinovic

    Simon Eberz, Kasper B. Rasmussen, Vincent Lenders, and Ivan Martinovic. Evaluating behavioral biometrics for continuous authentication: Challenges and metrics. In Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, ASIA CCS ’17, pages 386–399, New York, NY , USA, 2017. ACM

    work page 2017

  11. [11]

    Afonso Eduardo, Helena Aidos, and Ana L. N. Fred. ECG-based biometrics using a deep autoencoder for feature learning - an empirical study on transferability. In ICPRAM, 2017

    work page 2017

  12. [12]

    Replacing passwords: in search of the secret remedy

    Steven Furnell and Leith Zekri. Replacing passwords: in search of the secret remedy. Network Security , 2006(1):4–8, 2006

    work page 2006

  13. [13]

    Biometrics tech- nology market analysis report by end-use

    Grand View Research. Biometrics tech- nology market analysis report by end-use. https://www.grandviewresearch.com/ industry-analysis/biometrics-industry,

    work page

  14. [14]

    Accessed: 2019-05-31. 5

    work page 2019

  15. [15]

    Standards for biometric technologies

    Information Technology Laboratory – Na- tional Institute of Standards and Technol- ogy. Standards for biometric technologies. https://www.nist.gov/speech-testimony/ standards-biometric-technologies, 2013. Ac- cessed: 2019-05-31

    work page 2013

  16. [16]

    Israel, John M

    Steven A. Israel, John M. Irvine, Andrew Cheng, Mark D. Wiederhold, and Brenda K. Wiederhold. ECG to identify individuals. Pattern Recogn., 38(1):133–142, January 2005

    work page 2005

  17. [17]

    The domino effect of password reuse

    Blake Ives, Kenneth R Walsh, and Helmut Schneider. The domino effect of password reuse. Communications of the ACM, 47(4):75–78, 2004

    work page 2004

  18. [18]

    Springer Science & Business Media, 2007

    Anil K Jain, Patrick Flynn, and Arun A Ross.Handbook of biometrics. Springer Science & Business Media, 2007

    work page 2007

  19. [19]

    Implicit authentication, November 13 2012

    Bjorn Markus Jakobsson, Mark J Grandcolas, Philippe JP Golle, Richard Chow, and Runting Shi. Implicit authentication, November 13 2012. US Patent 8,312,157

    work page 2012

  20. [20]

    Human identification by cross-correlation and pattern matching of personalized heartbeat: Influence of ECG leads and reference database size

    Irena Jekova, Vessela Krasteva, and Ramun Schmid. Human identification by cross-correlation and pattern matching of personalized heartbeat: Influence of ECG leads and reference database size. Sensors, 18(2):372, Jan 2018

    work page 2018

  21. [21]

    Komeili, W

    M. Komeili, W. Louis, N. Armanfard, and D. Hatzinakos. On evaluating human recognition using electrocardio- gram signals: From rest to exercise. In 2016 IEEE Canadian Conference on Electrical and Computer En- gineering (CCECE), pages 1–4, May 2016

    work page 2016

  22. [22]

    Kyoso and A

    M. Kyoso and A. Uchiyama. Development of an ECG identification system. In 2001 Conference Proceedings of the 23rd Annual International Conference of the IEEE Engineering in Medicine and Biology Society, volume 4, pages 3721–3723 vol.4, 2001

    work page 2001

  23. [23]

    Cardiowheel: ECG biometrics on the steering wheel

    André Lourenço, Ana Priscila Alves, Carlos Carreiras, Rui Policarpo Duarte, and Ana Fred. Cardiowheel: ECG biometrics on the steering wheel. In Joint European Conference on Machine Learning and Knowledge Dis- covery in Databases, pages 267–270. Springer, 2015

    work page 2015

  24. [24]

    Nemirko and T.S Lugovaya

    A.P. Nemirko and T.S Lugovaya. Biometric human iden- tification based on electrocardiogram. In XII-th Russian Conference on Mathematical Methods of Pattern Recog- nition, pages 387–390. MAKS Press, 2005

    work page 2005

  25. [25]

    Bio- metric recognition: Security and privacy concerns.IEEE security & privacy, (2):33–42, 2003

    Salil Prabhakar, Sharath Pankanti, and Anil K Jain. Bio- metric recognition: Security and privacy concerns.IEEE security & privacy, (2):33–42, 2003

    work page 2003

  26. [26]

    Albert Ali. Salah. Machine learning for biometrics. In Handbook of Research on Machine Learning Applica- tions and Trends: Algorithms, Methods, and Techniques, chapter 26, pages 539–560. IGI Global, Oxford, 2010

    work page 2010

  27. [27]

    Systems and methods for push notification based application authentication and autho- rization, January 2 2014

    Aleksey Sanin, Matt Ricketson, Ryan Newlman, Andrew LeBlanc, and Eric Stern. Systems and methods for push notification based application authentication and autho- rization, January 2 2014. US Patent App. 13/915,475

    work page 2014

  28. [28]

    User-generated free-form gestures for authentication: Security and memorability

    Michael Sherman, Gradeigh Clark, Yulong Yang, Shri- datt Sugrim, Arttu Modig, Janne Lindqvist, Antti Oulasvirta, and Teemu Roos. User-generated free-form gestures for authentication: Security and memorability. In Proceedings of the 12th annual international con- ference on Mobile systems, applications, and services, pages 176–189. ACM, 2014

    work page 2014

  29. [29]

    Singh, A

    K. Singh, A. Singhvi, and V . Pathangay. Dry contact fin- gertip ECG-based authentication system using time, fre- quency domain features and support vector machine. In 2015 37th Annual International Conference of the IEEE Engineering in Medicine and Biology Society (EMBC), pages 526–529, Aug 2015

    work page 2015

  30. [30]

    Basic Anatomy of the Heart

    The Johns Hopkins University. Basic Anatomy of the Heart. https://www.hopkinsmedicine.org/ healthlibrary/conditions/cardiovascular_ diseases/basic_anatomy_of_the_heart_85, P00192. Accessed: 2019-05-31

    work page 2019

  31. [31]

    Verizon Data Breach Investigations Report

    Verizon. Verizon Data Breach Investigations Report. https://enterprise.verizon.com/resources/ reports/dbir/#report, 2017. Accessed: 2019-05- 31

    work page 2017

  32. [32]

    Passpoints: Design and longitudinal evaluation of a graphical password sys- tem

    Susan Wiedenbeck, Jim Waters, Jean-Camille Birget, Alex Brodskiy, and Nasir Memon. Passpoints: Design and longitudinal evaluation of a graphical password sys- tem. International journal of human-computer studies, 63(1-2):102–127, 2005

    work page 2005

  33. [33]

    Biometrics: Privacy’s foe or pri- vacy’s friend? Proceedings of the IEEE, 85(9):1480– 1492, 1997

    John D Woodward. Biometrics: Privacy’s foe or pri- vacy’s friend? Proceedings of the IEEE, 85(9):1480– 1492, 1997. 6

    work page 1997