We present a smart hardware security engine that combines three different sources of entropy, electrocardiogram (ECG), heart rate variability (HRV) and SRAM-based physical unclonable function (PUF), to perform real-time authentication and generate unique and random signatures. Such hybrid signatures vary person-to-person, device-to-device, and over time, and hence can be used for personal device authentication as well as secret random key generation, significantly reducing the scope of an attack. The prototype chip fabricated in 65nm LP CMOS consumes 4.04 μW at 0.6 V for real-time authentication. Compared to ECG-only authentication, the equal error rate of multi-source authentication is reduced by 18.9X down to 0.09% for an in-house ECG database. 256-bit secret keys generated by optimally combining ECG, HRV and PUF values pass NIST randomness tests with 100% pass rate.