Researchers have developed a continuous authentication system called AccLock that identifies a wearer by the tiny vibrations a heartbeat makes inside the ear canal. The signal comes from an accelerometer of the kind already sitting inside many wireless earbuds, so no extra hardware is needed. The point is to keep verifying that the person wearing the device is the legitimate user long after the initial unlock. This approach addresses a fundamental flaw in most current biometric systems: they authenticate once at the start of a session and then assume the same user remains in control. By passively monitoring the wearer's unique cardiac signature, AccLock can revoke trust the moment the earbud changes hands.

How the System Works

Each heartbeat sends a small mechanical pulse through the body. In the ear, that pulse shows up as a ballistocardiogram, or BCG signal, that an accelerometer can pick up. Ballistocardiography is a well-known technique in medical monitoring, but its application to authentication is relatively new. AccLock cleans up the raw motion data, extracts features tied to the wearer’s cardiac pattern, and compares those features to a registered template. If the match is close enough, the session stays trusted. If it drifts, the session gets revoked. Registration takes about six minutes of sitting still, and the authors show usable accuracy with as little as two minutes of enrollment data. Each authentication decision works on a four-second window, with a sliding step that updates the trust state roughly every half second. This means the system can detect an intruder within a few seconds of a handoff, a requirement for any practical continuous authentication system.

Reported Accuracy

The headline numbers from a 33-person study are decent. Across sitting, lying down, light head movement, and even music playback at high volume, the system kept error rates in the low single digits. Older and younger users, men and women, and even people with several common heart conditions all landed in roughly the same range. The study included participants with bradycardia, tachycardia, coronary heart disease, and premature beats, demonstrating robustness across a wide range of cardiac health profiles. This is important because any biometric system that works only for healthy young adults would have limited deployment potential.

The more interesting test was the one that matters for security: what happens when the legitimate wearer takes the earbud out and someone else picks it up. The system caught the handoff within a few seconds in almost every trial. That is the entire point of continuous authentication, and on this one task the design held up well. The authors noted that even when the legitimate user simply removed one earbud, the system flagged the change and required re-authentication. This level of sensitivity is critical for scenarios like shared devices in workplaces or public kiosks where a single user may be interrupted.

Where It Struggles

The system held up fine for desk work and casual movement. Walking knocked accuracy down noticeably. Running broke it almost completely. Talking also caused problems, since jaw motion and shifting contact with the ear produce vibrations in the same range as the heartbeat itself. Including some talking samples during enrollment recovered part of that loss, but the effect was not entirely eliminated. These limitations are not surprising; any accelerometer-based system will be challenged by high-amplitude, unpredictable motion. The researchers acknowledge that AccLock is best suited for stationary or low-activity environments, such as office work, reading, or listening to music while seated.

Long-term drift is another open question. Accuracy held steady for about six weeks and started slipping by week eight, which the authors attribute to gradual changes in fit, posture, and behavior. A background refresh routine using high-confidence samples seems to keep the profile current, but the study only ran for two months. What happens at six months or a year is anyone’s guess. Over time, earbud cushions wear down, the user’s hearing may change, or even subtle weight fluctuations could alter the acoustic and mechanical coupling. These factors make long-term biometric templates inherently unstable, and AccLock will need adaptive mechanisms to remain reliable across years of use.

A small group of users also produced consistently worse results than the rest, likely due to anatomy and how the earbud sits in the ear. Until that gap closes, any deployment would need a fallback for the people the system simply does not read well. This is a common problem in biometrics: fingerprints, iris scans, and face recognition all have populations where the feature extraction fails. For AccLock, the issue may be structural, such as narrow ear canals or unusual bone conduction properties that dampen the BCG signal. The researchers did not specify the proportion of such users, but it was enough to affect the overall error rates.

The Hardware Question

The prototype used a custom 3D-printed earbud with a standard commercial accelerometer running at 100 Hz. That sampling rate matters. Apple AirPods expose only heavily downsampled motion data, around 25 Hz, to third-party developers. The team did get the system running on AirPods using a lightweight retraining step, but error rates roughly doubled, from around 3% to around 7%. Workable, less accurate, and dependent on vendor cooperation if anyone wanted to ship this at scale. The 25 Hz limitation means that higher-frequency components of the BCG signal are lost, reducing the feature richness and making it harder to distinguish between users. A dedicated hardware accelerometer running at 100 Hz or more would be ideal, but most consumer earbuds prioritize power efficiency over sensor bandwidth. Vendors would need to either increase the sampling rate for third-party apps or embed the authentication logic directly in firmware.

How This Fits the Threat Picture

Most consumer biometrics, including face and voice, have well-documented spoofing problems involving printed photos, deepfake audio, and silicone replicas. A BCG signal is harder to capture from a distance and harder to replay, since it arises from the wearer’s own cardiac mechanics inside the ear canal. The paper leans on that physiological origin as the basis for spoof resistance. Unlike fingerprint scanners that can be fooled by gelatin copies or face unlock that can be bypassed with high-resolution photos, a heartbeat signal is generated internally and requires physical contact with the ear canal. An attacker would need to either recreate the exact cardiac waveform or inject vibrations that mimic the wearer’s pattern, both of which are non-trivial without direct access to the person.

It is worth being honest about what was tested and what was skipped. The 33-user study covered movement, posture, environment, BLE packet loss, music playback, and several cardiac conditions. However, the study did not test against an active adversary attempting to inject vibrations, replay a captured BCG stream, or reconstruct a target’s cardiac signature from other sensor data. Continuous biometric streaming over BLE also raises a privacy surface that the paper does not address. Any production deployment would need a hard look at both. For instance, an attacker with physical proximity could potentially eavesdrop on the accelerometer data transmitted from the earbuds to a paired device, capturing the biometric template in transit. Encryption and secure enclaves would be essential, but these add cost and complexity.

The Session That Never Expires

The persistent problem with biometric login is that it usually happens once, at the start of a session, and the trust never expires. An attacker who grabs an unlocked phone, an unlocked workstation, or an unlocked earbud inherits everything. Passive biometrics that run quietly in the background are one of the more credible answers to that problem, since they cost the user nothing and can revoke trust the moment the wearer changes. This concept is known as continuous authentication or active authentication, and it has been explored in academic research for decades. Wearable sensors like smartwatches that measure heart rate or galvanic skin response have been used in prototypes, but earbuds offer a unique advantage: they are in direct contact with the ear canal, which provides a relatively stable mounting point for the accelerometer and isolates the BCG signal from external vibrations.

AccLock is one of the first published designs to do this from a sensor that already ships in mainstream earbuds, with no speaker output and no required user action. The accuracy numbers are competitive with other passive biometric proposals, the energy overhead is small, and the failure modes are documented. Whether it ever reaches a shipping product depends largely on whether earbud vendors decide to expose raw accelerometer data to developers, which they currently do not. Apple, for example, provides motion data through the Core Motion framework but applies heavy filtering and downsampling to protect battery life and user privacy. Without access to raw 100 Hz data, the authentication accuracy degrades below an acceptable threshold for high-security applications.

For now, treat it as a useful data point on where continuous authentication research is heading: away from explicit gestures and shared secrets, toward signals the body produces on its own. The vision is a world where devices trust their users implicitly and continuously, without ever asking for a password, a fingerprint, or a face scan. However, that vision will require collaboration between biometric researchers, hardware manufacturers, and privacy advocates to ensure that the solutions are secure, inclusive, and transparent. AccLock represents a step forward, but it is only one piece of a much larger puzzle. As the Internet of Things expands and wearable devices become more prevalent, the need for seamless, always-on authentication will only grow. Whether BCG signals become the standard or are eventually replaced by other biometric modalities such as brainwave patterns or vascular imaging remains to be seen, but the direction is clear.

Source: Help Net Security News