As the watch and phone learn my heart rate pattern, I don't understand why this information couldn't be used to unlock, authenticate and authorize things rather than just used for health measurement.
For example, automatically unlocking the smartwatch (after being put back on after a while) or unlocking the phone without additional authentication or facial recognition being needed, just by detecting heart rate from visible skin of the face and neck.
1) It can detect it's on my arm or that a face is looking at the phone. 2) By pairing the detected heart rate with the collected heart rate pattern it can unlock the watch.
Similarly, as I wear the watch (given it continuously monitors my HR) when I pick up my phone, my HR is detectable by the front facing camera of my phone and could easily be verified against the HR coming off the watch (or the recognizeable and stored pattern, but that's another use case).
So here are the typical counter arguments I know:
It's sensitive data and shouldn't be used
- it is sensitive data and as such it should be stored in the secure module like the Fingerprint data, and we as users should have the right to choose, much like we do with the fingerprints, if we want this information used or not, so I agree
Not everybody uses a Watch or has continuous HR monitoring on
- ofc, this is only for people who do and/or who have had a sufficiently recent and sufficiently detailed HR pattern stored so that the camera can detect and compare it with the stored pattern if needed.
The heart rate cannot be monitored, at a distance, by the camera
You can already keep your phone unlocked while in proximity of your watch
- You can also lock your phone with a pattern, but it does make for a low security option. Let's say you are asleep and the phone is charging and you are wearing the watch - your phone is unlocked without you being aware. Alternatively, the phone should detect you are in a sleeping pattern, but I don't believe it does (haven't been able to test this yet).
HR patterns are not unique
- oh yes, yes they are: https://www.technocracy.news/unique-heartbeat-signature-detected-from-250-yards-away/
So this would only be used to authenticate me on my phone?
- each time I take off my watch and put it back on, as soon as sufficiently good pattern is recognized, the watch unlocks itself, doesn't wait for me to unlock it by typing in the PIN (I hate that)
- each time I look at my phone while wearing a watch it unlocks automatically as it can instantly pair current heart beat with two sources: the camera and the watch
- whenever there is a recent enough and sufficiently good enough HR pattern stored for me, the device can use the camera to establish the pattern of the person watching it and compare it with my stored one to authenticate me, even while the watch is not worn
- Samsung could authenticate 3rd party requests with this type of service, much like it allows 3rd party apps to use authentication done via fingerprint reader (https://securityintelligence.com/news/new-heartbeat-monitor-lifeline-bank-authentication/😞 banking apps, e-commerce, Samsung SSO...
Why use HR pattern at all
- because the increased use and data sources might only help in early detection of heart problems (unexpected, but true benefit)
- because our cameras can already do it as showcased above and why wouldn't we benefit from this possibility as users (esp if our governments can https://www.digitaltrends.com/cool-tech/pentagon-heartbeat-identification/)
- because soon our headphones will also be able to detect our HR, so with two or three sources this biometric data becomes much more reliable than passwords
- because I want security to finally work seamlessly as I'm sick and tired of remembering/changing/typing passwords, selecting boats from images or verifying I know who my kindergarden teacher is
- because we need a solution for the elderly that will be unique for them but will not require them to learn new tech skills (good selling point for the watch also, apart from health reasons)
- because if the pandemic tought us anything - it is that facial recognition doesn't resolve the problems due to masks and fraud - hear rate is takes liveness detection to new levels taking over authentication from facial recognition, mitigating issues with masks, beards/shaving, glasses, sunglasses etc.
Would you use this if it existed? What do you think?