Securing personal data in wearable devices is becoming a crucial necessity as wearable devices are being deployed ubiquitously, which inadvertently exposes them to more sophisticated adversarial attacks. Although authentication systems using a single-entropy source, such as fingerprint or iris, are being used widely, successful spoofing attacks have been made, which show such systems' vulnerability. To mitigate these issues, new biometric modalities [e.g., electrocardiogram (ECG) and photoplethysmogram (PPG)], as well as multifactor authentication/security engine designs, are being investigated. In this work, we present a new smart hardware security engine that combines three different sources of entropy, ECG, heart rate variability (HRV), and SRAM-based physical unclonable function (PUF) to perform real-time authentication and generate unique/random signatures. Such hybrid signatures vary person-to-person, device-to-device, and over time, which significantly reduces the scope of an attack and enables secure personal device authentication as well as secret random key generation. The prototype chip fabricated in 65-nm LP CMOS consumes 4.04 μW at 0.6 V for real-time authentication. Compared with ECG-only authentication, the average equal error rate of multi-source authentication is reduced by 7× down to 0.2375% for a 741-subject in-house ECG database. The generalization capability of the hardware was also tested by evaluating equal error rate (EER) values using other ECG databases available online. Also, 256-bit keys generated by optimally combining ECG, HRV, and PUF values fully pass nine NIST randomness tests.