Continuous authentication is of great importance to maintain the security level of a system throughout the login session. The goal of this work is to investigate a trustworthy, continuous, and non-contact user authentication approach based on heart-related biometric that works in a daily-life environment. To this end, we present a novel continuous authentication system, namely Cardiac Scan, based on geometric and non-volitional features of the cardiac motion. Cardiac motion is an automatic heart deformation caused by self-excitement of the cardiac muscle, which is unique to each user and is difficult (if not impossible) to counterfeit. Cardiac Scan features intrinsic liveness detection, unobtrusiveness, cost-effectiveness, and high usability. We prototype a remote, high-resolution cardiac motion sensing system based on the smart DC-coupled continuous-wave radar. Fiducial-based invariant identity descriptors of cardiac motion are extracted after the radar signal demodulation. We conduct a pilot study with 78 subjects to evaluate Cardiac Scan in accuracy, authentication time, permanence, usability in complex conditions, and vulnerability. With four cardiac cycles for recognition, Cardiac Scan achieves 98.61% balanced accuracy (BAC) and 4.42% equal error rate (EER). All these studies demonstrate that Cardiac Scan is a robust and usable continuous authentication system.