Picking Up 'Skull Vibrations'? Could Be XR Headset Authentication

REMOTE WORKFORCE IDENTITY & ACCESS MANAGEMENT SECURITY MOBILE SECURITY APPLICATION SECURITY NEWS Picking Up 'Skull Vibrations'? Could Be XR Headset Authentication "Skull vibration harmonics generated by vital signs" can be used to sign in to VR, AR, and MR headsets, according to emerging research. Alexander Culafi,Senior News Writer,Dark Reading April 3, 2026 4 Min Read SOURCE: PETER HORREE VIA ALAMY STOCK PHOTO The next frontier for biometric authentication may be upon us, and it involves the vibrations of one's skull. Last week, a research team led by Rutgers University introduced a new biometric authentication software compatible with extended reality (XR) headsets — the umbrella term for virtual reality, augmented reality, and mixed reality hardware. The idea is to bring digital identity protection to immersive technology, and it does this by tracking the "skull vibration harmonics generated by vital signs," according to a research summary.  While immersive technology isn't quite seen as the future in a consumer sense (Meta continues its slow retreat from the metaverse, if not consumer VR altogether), the enterprise space continues to take at least some advantage of XR. Engineers use XR for spatial mapping and other complex 3D work, and aerospace firms use it for 3D training environments.  As such, while some may think of XR as a niche technology, authentication mechanisms like this may yet have a place in the big organizations that do use it and need to protect sensitive proprietary data or intellectual property. Related:LatAm's Self-Taught Cyber Talent Overlooked Amid Cyberattack Glut The bigger question here is what it means for the broader identity and authentication picture. Security firms have been pitching a move away from passwords and toward passkeys, multifactor authentication, biometric technology, and FIDO security keys. The threat of phishing remains ever-present, but some organizations are also concerned with what the post-quantum future may bring in a few years if advanced computation hits a wide range of people.  The Key is Vibration in Your Skull The new technology is named "VitalID," and acts as an authentication system that requires no user effort and relies on the XR headset's built-in motion sensors. In other words, it's all software.  VitalID takes the "low frequency mechanical vibrations" generated in the skull by one's breathing and heartbeat.  "These harmonics carry distinctive biometric signatures unique to each wearer's head and facial structure. The system uses the XR headset's built-in motion sensors to capture these signals and extracts robust biometric features from ratios among harmonic frequencies," the research summary read. "An adaptive filtering method reduces motion distortion, while attention-based deep learning models ensure highly accurate and continuous user authentication across XR sessions without requiring user effort or additional hardware." A patent application has been filed for VitalID and is being offered for licensing; it's also being pitched as an authentication tool for this very specific headset use case. It can, for example, be used at an SDK or OS-level.  Related:Zscaler-SquareX Deal Boosts Zero Trust, Secure Browsing Capabilities Predicting the Future of Biometrics Despite targeting a very specific need, VitalID is reminiscent of some similarly out-of-the-box passwordless solutions of yesteryear. A decade ago, SkullConduct aimed to solve user identification in eyewear computers through the conduction in one's skull. Meanwhile, the Nymi Band, which is sold as a wristband authenticator for IT and OT environments, includes capabilities to use electrocardiogram (ECG) data as an authenticator.  That's all to say that VitalID doesn't seem to be targeting the future of all authentication or to even be a step forward beyond what came before. It's mostly relevant for headsets, which don't have many standardized authentication tools beyond single sign-on (SSO), MFA, and in some cases, biometric eye tracking. For the time being, best to stick to  FIDO-based authentication methods, SSO, passkeys, and other tried and tested best practices. Ralph Rodriguez, president and chief product officer of identity security firm Daon, tells Dark Reading that his company takes modalities like VitalID "very seriously" because rather than simply offering another biometric option with no real advantages, the research proposes "a passive, inbuilt, continuous-authentication signal that uses motion sensors already present on commodity XR headsets, rather than requiring extra hardware or explicit user action." Related:Torq Moves SOCs Beyond SOAR With AI-Powered Hyper Automation He says the right way to think about VitalID is as a continuity and reauthentication signal inside an XR session rather than a wholesale replacement for everything else wrapped up in identity, such as proofing, account recovery options, or phishing-resistant cryptography. It works as part of a broader authentication system, though he emphasized that technology like this may be particularly valuable in the immersive space. "I think some version of this unique category becomes increasingly necessary over time, especially in environments like XR where authentication cannot remain a one-time front-door event," Rodriguez says. "As XR headsets become gateways to enterprise apps, collaboration tools, financial services, and health data, the problem shifts from 'who logged in at the start?' to 'is the same trusted person still present now?' Rutgers explicitly frames the problem this way, and that framing is correct." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Cybersecurity Forecast 2026 The ROI of AI in Security Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like REMOTE WORKFORCE Google Gemini AI Bug Allows Invisible, Malicious Prompts by Elizabeth Montalbano, Contributing Writer JUL 14, 2025 REMOTE WORKFORCE US Critical Infrastructure Still Struggles With OT Security by Becky Bracken APR 29, 2025 REMOTE WORKFORCE North Korean Operatives Use Deepfakes in IT Job Interviews by Elizabeth Montalbano, Contributing Writer APR 23, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Loading... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE