How your heartbeat could kill the password

At MIT's recent EmTech conference, Bionym’s Andrew D'Souza explained the company’s novel approach to replacing passwords that earned it a $14 million investment.

092914 bionym

Security experts like to say there are only two kinds of companies: those that have had large-scale password security breaches and those that just haven't yet. At MIT's recent EmTech conference, Bionym showed its wearable authentication device that uses the wearer's electro cardiogram (ECG) that promises to provide strong security without the complexity of regularly changing and remembering passwords.

The Bionym Nymi is a smartband that looks a lot like it’s been designed for health and fitness. Like the fitness bands, the Nymi wearer can touch the band with his or her opposing hand and complete a circuit for an accurate ECG reading. Using Bluetooth, the ECG is uploaded to a computer, processed with BioNym’s algorithm, and a key is returned and stored in a tamper-resistant secure element of the Nymi band. The initial setup takes one or two minutes. This key gives the wearer a unique and persistent identity that can be used via a Bluetooth Low Energy (BLE) link to authenticate with and control other devices, access computers, unlock and start cars, or make payments.

092914 smp2

The Nymi also incorporates a proximity sensor that determines the effective distance of the Nymi. For example, a secure Nymi payment transaction should take place at a very close proximity measured in centimeters, like Near Field Communications (NFC) transactions. Never manually log in and out of a computer – users are automatically authenticated and logged when they are within three feet of the device, and they’re logged out when they move more than three feet away. An interaction with a smart thermostat to raise or lower the temperature that recognizes the presence of the wearer might be measured in meters.

An accelerometer and gyroscope are built in to the Nymi for motion detection, which the Nymi uses to create unique gestures to execute specific functions when authenticated with a device.

After wearers remove the device, they must reestablish their identities with another ECG through a shorter interval than the initial setup. This is a very simple and elegant method of establishing identity because ECG is as unique as a fingerprint. Another individual with a different ECG pattern can’t authenticate and steal the wearer’s identity with the Nymi.

Given the all the smartphones, computers, and Internet of Things (IOT) devices that support BLE, it’s easy to imagine many applications, ranging from the very high stakes of financial transactions to hospitality applications that personalize the Nymi wearer’s experience.

None of the creative uses of Nymi’s novel authentication or applications work out of the box. Each application must be built using Bionym's Software Development Kit (SDK). The SDK is currently available for Android, iOS, OS X, and Windows.

Bionym just raised a $14 million Series A round from Ignition Partners, Relay Ventures, MasterCard and Salesforce Venture to take the Nymi to market. The pent up frustration with the logistics passwords and password breaches should get the attention of enterprises and software developers.

Priced at $99, the Nymi is very inexpensive compared to the costs of managing a strong passwords scheme. Looking beyond security, personalizing a Nymi wearer’s environment is very promising, and becomes even more promising at lower prices.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.