First Look: Startup Readies Heartbeat-Based Authentication

We can all agree: Usernames and passwords have become all too easy to compromise, and to forget.

We can't all agree on what to replace the antiquated authentication method with. Fingerprints, facial recognition, voice recognition, iris scans, and palm prints are just some of the biometric alternatives floating among financial services and technology firms.

"We have seen all the data breaches and computer hacking," says Shirley Inscoe, senior analyst with Aite Group. "The user name and password have become unreliable."

As banks try to strengthen security for digital banking without inconveniencing their customers, a young Canadian company called Bionym is creating wearable computing devices that verify people's identities by measuring a lesser-known biometric signal: an electrocardiogram (ECG), which is a recording and interpretation of the bioelectrical activity of the heart. The emerging technology expected to pre-launch this summer could eventually be used to unlock mobile banking and enterprise apps.

"Everyone wants to get rid of passwords," Karl Martin, Bionym's chief executive and president, tells BTN. "The identity and security space is ripe for disruption."

According to Bionym, which emerged from research conducted at the University of Toronto, every person produces a unique cardiac rhythm signal, even during heart-rate elevating activities like exercise. Cardiac rhythm is meant to describe the shape of ECG waves. The shape, size and position of the heart within a person's body as well as his overall body shape and size are some of the factors that make each ECG unique. HeartID (the company's core technology) is designed to capture the signal in a way that creates a representation to distinguish one individual from the next, says Martin. More of the system's operational details will be announced in July.

What is already known is that Bionym, founded by Martin and Foteini Agrafioti, will unveil its wearable computing device in the form of a wristband called Nymi. The first iteration of the hardware will work something like this: Consumers will provide Nymi with samples of their cardiac rhythms by touching the wristband, which will communicate (using near-field communication or Bluetooth) to a nearby smartphone or tablet. The collection of the initial sample will take about two to three minutes, says Martin, while the biometric templates can be saved on a device or in the cloud. From there, he says users will touch their wristbands for a few seconds to authenticate themselves for various functions. The shortest timeframe for a match is about 1.5 seconds, and if a person is rejected, he can hold onto his wristband a little longer as the system attempts again, he says.

At launch, the company plans for consumers to use Nymi to open up cars (the wristband comes with a motion sensor) and unlock smartphones and tablets. "That's just the launching ground," says Martin. "Opportunities for the product are endless. …We make hardware to authenticate. The rest is software."

Regarding a layered security approach, Martin points out that Nymi is a three-factor authentication device: one factor is the HeartID biometric; the second is possession of the wristband; third is possession of the smartphone or tablet that originally registered the ECG. "In the end, authentication is about trust – how much does a system trust the claimed identity," he says. "We're looking for innovative ways to build up that trust using a variety of factors."

Accuracy rates are highly dependent on the sensors and the usage scenario, according to the company. Bionym does not publish specific data. In general, Martin describes HeartID as more accurate than face recognition and "a bit less" accurate than fingerprint recognition.

Taking drugs may impact a reading. "In our comprehensive studies of the general population, we've never encountered an issue," Martin wrote to BTN in an email. "However, it is conceivable that in extreme cases there may be significant enough changes to cause the system difficulty. This actually applies to all biometrics (even fingerprints), which may be affected by various medications or physiological events."

A more pressing hurdle, according to Martin, is communicating the possibilities of the commercialized hardware to consumers. "We are working hard on our messaging so people get the potential," he says.

Another concern is whether people will be willing to wear the wristbands. He, of course, thinks yes and hints at more hardware using HeartID eventually coming. "We have a roadmap for other form factors," Martin says.

The wristband designs are hush-hush until summer, which is also when Bionym will seek out app developers. The wristband pricing is not yet public.

Analysts view Nymi as an intriguing application of biometrics and one that has potential, in part, because it's entering the market at a smart time: when wearable computing is catching on and passwords are obviously inefficient.

"Society is changing and people are becoming more aware of fraud," Aite's Inscoe says. "The whole area of biometrics is the next phase of authentication."

In her view, the possibilities for HeartID to catch on with consumers are more interesting if Bionym combines its product with medical alerts or other applications that go beyond authentication.

The technology may need to overcome consumer reluctance, including how much people are willing to pay for a wristband and whether the technology exasperates their privacy concerns, she says.

Eve Maler, principal security and risk analyst at Forrester, remains more skeptical about biometrics technology in general because of "privacy concerns and the inability to repudiate somebody's vicious use of real-life identity."

That said, she points out that Bionym is trying to address this problem by using biometrics encryption, which is "a pretty good approach." The potential for spoofing a reader, and with it the ECG template, would require further investigation of Nymi. "If a bad guy takes a heart rhythm and replays it to a machine, then you have a problem," Maler says.

There will always be bad guys, however, and Maler points out the need to create new ways for consumers to confirm their identities. "Authentication is super hopping right now. There is a lot of innovation and experiments. Five years ago, it was a sleeper area," Maler says. "It's encouraging to see this approach being explored."

For reprint and licensing requests for this article, click here.
Bank technology Disruptors
MORE FROM AMERICAN BANKER