Skull vibrations could be your next password
Modern life requires lots of connections to apps and websites. Even with a password manager, it can be difficult to remember all that login information. Using a fingerprint, eye, or other biometric data may result in privacy concerns. A new security system could solve this password problem using vibrations in our skulls.
Newly designed software called VitalID uses tiny vibrations generated by heartbeats and breathing that pass through the skull. Like our fingerprints, these patterns are unique to an individual’s facial tissues and bone structure. VitalID is designed for use in extended reality settings and was presented at the ACM 2025 Computer and Communications Security Conference.
What is XR?
Extended reality (XR) includes virtual reality, augmented reality, and mixed reality technologies that blend digital content with the physical world. XR systems, including Viture, MetaQuest and Oculus Rift, are best known in the gaming world. However, this technology extends to finance, medicine, education and remote work. As its scope increases, the security of XR systems becomes more and more urgent.
“Extended reality will play a major role in our future,” Yingying Chen, co-author of the study and a computer engineer specializing in remote sensors at Rutgers University in New Jersey, said in a statement. “If immersive systems are to integrate into everyday life, authentication must be secure, continuous and effortless. »
How VitalID works
VitalID uses simple biology to solve these user experience and security issues. Even when we sit, our body moves in subtle ways. Every breath and heartbeat creates tiny vibrations that travel through the neck and into the head. Once they reach the skull, they cause the head to shake slightly. Since each skull has a different shape, thickness and bone structure, the vibrations change uniquely as they move.
As a result, we all produce a distinct vibration pattern in our skull. Motion sensors already found in virtual reality headsets can detect these tiny patterns and determine who is wearing the device.
“We don’t need to add any additional devices or hardware,” Chen said. “It only requires software.”
In their study, Chen and the team tested 52 users over a 10-month period using two popular XR headsets. Their system correctly authenticated legitimate users more than 95% of the time. Importantly, it rejected unauthorized users over 98% of the time.
They also built a filtering system that removes interference from additional head and body movements, such as head nodding. This allows the headset to focus only on the tiny vibrations in the skull caused by an individual’s breathing and heartbeat. They then used computer models to analyze the skull’s vibration patterns.
According to Chen, these vibrations can be harder to imitate because they travel inside a person’s bones and tissues. Although a person can mimic another person’s breathing pattern, they cannot as easily replicate the biomechanical properties of another person’s skull. The headset would constantly detect these subtle vibrations to confirm that the right person is using it.
A next generation solution
XR headsets now store confidential documents, personal accounts and access to web services. However, entering passwords in a virtual environment based on gestures can be tricky. Two-factor authentication often breaks immersion, and hardware that scans the eye increases costs, according to Chen.
Although not yet commercially available, VitalID is an attempt to solve this user experience and security problem. It allows users to access financial platforms, medical records or business systems in immersive environments without stopping to log in.
This technology is available for licensing and/or research collaboration and Rutgers has filed a provisional patent application. The study was a collaboration with Cong Shi of the New Jersey Institute of Technology, Yan Wang of Temple University in Philadelphia and Nitesh Saxena of Texas A&M University.
The best new PopSci 2025 releases
