Nymi Wristband Uses Your Heartbeat As Your Password
Imagine if your phone, computer, car and home could recognize you and unlock when you're nearby.
How would they know it was you and not someone else? They would recognize your heartbeat.
That's the premise behind the Nymi, an upcoming security device from Toronto-based Bionym Inc.
The Nymi is a wristband that reads a wearer's electrocardiogram, or EKG, a measurement of the heart's electrical activity. The wristband then transmits an ID based on the EKG to the wearer's devices.
IF you've been lucky enough to never see an EKG reading in real life, you've probably seen one in a movie or TV show, usually as a heartbeat wave on a hospital monitor while a character lies injured or dying.
EKGs are based on a number of factors, including temporary measurements such as heart rate and stress, but they also include permanent factors, such as a heart's size, position in the chest and electrical signals. All of these characteristics contribute to the EKG wave's unique shape.
The first time you put on the Nymi wristband, it performs an enrollment process. The Nymi takes a reading of its wearer's EKG, and then puts the results through an algorithm designed to strip away temporary data and quantify the unique, persistent data.
The Nymi then turns the persistent data into a theoretically unique string of numbers, called a HeartID, which the wristband transmits via a Bluetooth 4.0 Low Energy radio signal.
Each time a user puts the Nymi back on, the wristband performs a check to match the EKG with what it has on file. After that, the Nymi merely monitors whether it is still in contact with the original wearer — it doesn't provide any data about the wearer's heart or other medical functions.
If the Nymi is removed, it will cease its Bluetooth transmissions and won't resume until it verifies that the correct user is wearing it.
Devices running Nymi-associated apps can read the device's signal and react appropriately. For example, a smartphone with a Nymi app could unlock its screen when in range of the wristband's Bluetooth signal. Cars, homes and other electronic devices with the app could also be configured to unlock when in range of the Nymi device.
The Nymi is scheduled to hit shelves in June 2014. By early December 2013, more than 6,000 people had applied for Nymi's software development kit (SDK).
Karl Martin, CEO of Bionym Inc., imagines further uses for the Nymi. A "smart" home could adjust heat and lights as a Nymi-wearing person moves from room to room, and even configure presets for individuals. Retail stores could create custom shopping experiences for Nymi-wearing consumers.
Security based on a biometric — a measurement of a unique aspect of a person's body — isn't new, but it has been used more frequently in recent years. For example, the iPhone 5s features a fingerprint reader that lets users unlock phones without needing to enter a password. Similarly, many Android phones have a Face Unlock feature. (Neither feature is foolproof, and both require passwords as backups.)
One drawback of using biometric measurements for security purposes is that these biological traits can't be changed — if a password is compromised, you can create a new one, but you can't change your fingerprints if someone gets access to them.
Trustworthy security is critical to a device like the Nymi, and not just because it unlocks doors and opens password-protected devices. A person's EKG is as distinctive as a fingerprint, and more medically sensitive.
The Nymi wristband uses hardware encryption (far more secure and energy-efficient than software encryption) to store its owner's HeartID. When the wristband broadcasts its Bluetooth signal, it encrypts that message using cutting-edge elliptic-curve public-key cryptography.
These layers of protection serve to keep the HeartID and any other personal data secure. Even if someone were able to capture the Nymi's Bluetooth signal, he or she would not be able to decrypt it and get to the information stored within.
The Nymi wristband also includes a unique digital "signature" in its Bluetooth signals. Any application that unlocks using a HeartID will also need to verify the signature.
"[HeartID] transmissions have to go through the sensor [on the Nymi wristband]," Martin said. "There is no way to brute-force it."
A "brute-force attack" cracks a password by methodically trying every possible combination of characters.
No security is perfect, of course. For example, if someone were to steal a Nymi wearer's phone, the thief could unlock the phone by bringing it close to the person's body.
"There's always a situation where you might be forced to do something," Martin said. "It's the age-old problem that the best way to crack a password is with a baseball bat. We don't necessarily solve that [with the Nymi]."
When the Nymi is launched, Bionym won't be able to see its users' HeartIDs, further protecting their security, Martin said. The company will have only customer names and payment information on file, as well as the product ID of each Nymi wristband.
"We're looking, in the future, to have a cloud service to enable new applications," Martin said, "but none of [customers'] data would be shuttled off into the cloud without [them] knowing. That's a basic principle of this company."