Modern life requires lots of logging into apps and websites. Even with a password manager, remembering all of that log in information can be difficult. Using a fingerprint, eye, or other biometrics can introduce privacy concerns. A new security system might solve that password problem by using vibrations—in our skulls.
The newly designed software program called VitalID uses the tiny vibrations generated by heartbeats and breathing that move through the skull. Like our fingerprints, these patterns are unique to an individual’s facial tissue and bone structure. VitalID is designed for use in extended reality settings and was presented at the 2025 ACM Conference on Computer and Communications Security.
What is XR?
Extended reality (XR) includes virtual reality, augmented reality, and mixed reality technologies that mix digital content with the physical world. XR systems including Viture, MetaQuest, and Oculus Rift are best known in the gaming world. However, this technology is expanding into finance, medicine, education, and remote work. As it increases its reach, security in XR systems has become increasingly urgent.
“Extended reality will play a major role in our future,” Yingying Chen, a study co-author and computer engineer who specializes in remote sensors at Rutgers University in New Jersey, said in a statement. “If immersive systems are going to become woven into daily life, authentication has to be secure, continuous and effortless.”
How VitalID works
VitalID uses simple biology to fix these user experience and security issues. Even when we are sitting still, our bodies are moving in subtle ways. Every breath and heartbeat creates tiny vibrations that travel through the neck and into the head. Once they reach the skull, they make our heads shake slightly. Since every skull has a different shape, thickness, and bone structure, the vibrations change in unique ways as they travel.
As a result, we all produce a distinct vibration pattern within our skulls. Motion sensors that already reside inside virtual reality headsets can detect these tiny patterns and determine who is wearing the device.
“We do not need to add any device or additional hardware,” Chen said. “It requires only software.”
In their study, Chen and the team tested 52 users over a 10-month period using two popular XR headsets. Their system correctly authenticated legitimate users over 95 percent of the time. Importantly, it rejected unauthorized users more than 98 percent of the time.
They also built a filtering system that removes interference from extra head and body movement like nodding. This helps the headset only focus on the tiny vibrations in the skull that are caused by an individual’s breathing and heartbeat. They then used computer models to analyze the skull vibration patterns.
According to Chen, these vibrations may be more difficult to mimic since they travel internally through a person’s bone and tissue. While someone might imitate another person’s breathing rhythm, they can’t replicate the biomechanical properties of another person’s skull quite so easily. The headset would constantly sense these subtle vibrations to confirm that the right person is using it.
A next-gen solution
XR headsets now store confidential documents, personal accounts, and access to web services. However, typing passwords in a virtual environment based on gestures can be awkward. Two-factor authentication often interrupts immersion and hardware that scans the eye adds cost, according to Chen.
While not commercially available yet, VitalID is an attempt at solving this user experience and security problem. It allows users to access financial platforms, medical records or enterprise systems inside immersive environments without stopping to log in.
This technology is available for licensing and/or research collaboration and Rutgers has applied for a provisional patent. The study was a collaboration with Cong Shi at the New Jersey Institute of Technology, Yan Wang at Temple University in Philadelphia, and Nitesh Saxena at Texas A&M University.
