From GigaOm by Signe Brewster - 'With the Nymi wristband, your heart signal is the password': What if you could unlock your car door or log into Facebook just by standing nearby? There’s a whole range of technologies that will make this possible very soon, from smart locks you can open with a phone app to ingestible biosensors.Toronto-based Bionym revealed a “Nymi” wristband Tuesday that uses the wearer’s unique heart electrical activity as an authenticator. Paired with a car lock or laptop login screen, it can ensure the wearer is who they say they are and automatically log them in. It can also be used as a payment system at a cash register and to communicate personalized information to connected devices. Continued.Below is a video that demonstrates how Nymi works:
Trish's Comment: Nymi, a product of Bionym, excites me as much as it worries me.
It's exciting because:
A person's ECG (electrocardiogram) is unique and difficult to replicate - Nymi centers on a person's electrocardiogram, a measure not just of heart rate but also the electrical activity generated by the heart. It's as unique to you as your face or your fingerprint, but much harder to skim and spoof since it is invisible and doesn't leave a trace.Non-intrusive persistent authentication - You authenticate to the wristband once, when you put it on. It will then authenticate you to all other devices and apps automatically as long as you do not remove the wristband.Two-and-a-half-factor authentication - Although Nymi's website claims it is a three-factor authentication system because 'To take control of your identity you must have your Nymi, your unique heartbeat and an Authorized Authentication Device (AAD), which would be a smartphone or device registered with our app', I see it more as 2.5, since it is something you are and two things that you have.
Hardware-based cryptography - The ECG pattern is encrypted in the wristband through a cryptographic chip. Although communication between the wristband and the different devices is done over Bluetooth, hardware-based cryptography ensures safe communication. This level of encryption, coupled with the uniqueness of the ECG, could make Nymi safe and reliable enough to enable payments and even access to homes and cars.Trusted devices and apps - Only devices and apps that you specify as 'trusted devices', and 'trusted apps' respectively, can access and interpret information from Nymi. No other Bluetooth-enabled device near-by will be able to identify the user.
Motion sensors - This authentication device can recognize programmable gestures using the six access motion sensors incorporated in the wristband. This allows the user to easily interact with hardware and software around them in different ways.
Different form factors - Although Nymi today is a wristband, according to Dr. Karl Martin, founder and CEO of Bionym, it could also be a ring, a necklace or a waistband. FIDO - It could easily work as an authentication source within an identity framework such as FIDO. FIDO could benefit from Nymi since it might be a more secure and convenient solution than the USB and fingerprint readers on which FIDO currently relies. At the same time, Nymi could benefit from FIDO's massive interoperability.
As convenient as the Nymi appears to be, I also have some reservation around the larger security and privacy questions that it invokes:
Security - It brings to mind the same type of concerns that I have about other biometric authentication mechanisms: Where is the digital profile stored (the device or the cloud)? What does it look like? Is it an exact copy of your heart rhythm or does it contain only a few key data points (as is normally the case for fingerprint profiles)? What happens if it's hacked (since you cannot create a new ECG like you can create a new password)?Privacy - Your body is the password and that has major privacy implications (this applies to all biometric solutions), even if, in Dr. Martin's words, Nymi follows the 'privacy by design principle' and '... at a low level, we've designed the system so the user has complete control over their data and their identity. Everything requires opt in. They [the users] know where their data is going, and they can always revoke that if they want'. Hyper-personalized experiences and quantifiable self movement - It could, and it is the company's intention, open the door to your home, turn on the A/C and start playing your favorite music as you are parking in the your driveway. It could also measure the number of steps you take and calories you burn each day and chart them against your previously set goals. It is incredibly convenient and helpful, and also scarily similar to Big Brother on your wrist. Changes of a person's ECG - Can a person's ECG change beyond recognition in response to exercise or over time with age?Ecosystem - In order for Nymi to be truly useful, it needs to work everywhere (or at least in many places). This means developing a very strong developers network that trusts and supports this product.The same week that I heard about Nymi, I came across UC Berkeley's project to do something similar but using EEG (electroencephalogram) patterns instead of ECG patterns. Basically, instead of typing your password, you can think your password. This is the era of what Professor John Chuang, lead of UC Berkeley's project, calls 'passthoughts'.
After an initialization process of about 40 minutes (which the researchers are trying to cut in half), the device can authenticate a person without needing them to think about something specific (like a color or a song). Since a person's brainwaves are unique and consistent over time, a person's pure thoughts are enough. This is true non-intrusive authentication!
Although this technology has not yet been integrated with any commercial system, it is cheap enough (around $200) and reliable enough that it could be in the near future. And furthermore, the same way that it can be used as a substitute for passwords, in a not-so-distance future, we can imagine how it could be used to log into computers, play video games and control robotic limbs with just our thoughts.
Whether we are talking about the revolutionary Nymi or future-looking UC Berkeley's thoughtpass, the exciting fingerprint sensor on the new iPhone or the many other biometric solutions becoming available (such as Clef, OneID or LaunchKey), the key will be to build a trusted network of devices, operating systems and apps that can interact with them. The secure key is only half the story, for it to be true successful they will need to be backed by an extensive and extendable ecosystem.