Fingerprints, retinal scanning, voice recognition—as the financial services industry tries to strengthen security for digital banking, biometric markers like these have been gaining attention as possible replacements for the traditional login and password.

Now, a Canadian company called Bionym is developing technology that might someday make it possible for banks to recognize customers by their electrocardiograms. The startup, which emerged from research conducted at the University of Toronto, has created a wristband computer that records and interprets bioelectric activity of the heart.

Each person produces a unique cardiac rhythm signal, even during heart-rate elevating activities like exercise, which determines the shape of electrocardiogram waves. The shape, size and position of the heart, as well as overall body shape and size are some of the factors that make each ECG unique.

HeartID, Bionym's core technology, is designed to capture the signal in a way that makes it possible to distinguish one individual from the next, says Bionym's president and CEO, Karl Martin.

Consumers provide samples of their heart activity by touching a wristband called the Nymi, which uses near-field communication or Bluetooth to communicate to a nearby smartphone or tablet. The sample collection takes two to three minutes, Martin says, while the biometric templates can be saved on a device or in the cloud. After that, he says, users just touch their wristbands for a few seconds to authenticate themselves for various functions. The shortest timeframe for a match is about 1.5 seconds. If the person is rejected, he or she can hold onto the wristband a little longer as the system attempts again, Martin says.

At first, the company plans for consumers to use Nymi to open up cars (the wristband comes with a motion sensor) and to unlock smartphones and tablets. "That's just the launching ground. Opportunities for the product are endless," says Martin. "We make hardware to authenticate. The rest is software."

Nymi provides a layered security approach, as it is a three-factor authentication device. One factor is the HeartID biometric; another is physical possession of the wristband; and third is possession of the smartphone or tablet that originally registered the ECG. Accuracy rates are highly dependent on the sensors and the usage scenario, the company acknowledges. Bionym does not publish specific data, but in general Martin describes HeartID as more accurate than face recognition and "a bit less" accurate than fingerprint recognition.

Bionym is expected to seek out app developers this summer. Pricing for the wristband device was not yet public at press time.