Wearables for biometric Identification and Authentication

Biometric identifiers, in one form or another, have always been a part of the security industry and a hot area for researchers for long time. Most biometric access control solutions use a fingerprint or an iris(or recently face) scan to identify an individual, Here comes, Bionym, a Toronto-based start-up with a unique approach to identify and authenticate, with a newly launched solution called the Nymi. Bionym would like to claim it as 'world’s first bio-metrically authenticated wearable payment solution'. The major differentiator is, unlike other biometric devices which make the user submit to a physical read of their finger or eye(or face), the Nymi is a wearable authentication device that uses a person’s heartbeat to verify their identity

The idea of using someone’s heartbeat as a way to uniquely identify them is not something new. Researchers at the University of Toronto, including Bionym(who developed nymi) co-founder and CTO Foteini Agrafioti, recently made a breakthrough by" finding an automated way of extracting features that relate to the shape of a heart wave that are unique to each person".

According to Karl Martin, co-founder and CEO of Bionym, "Over the past 10 years,  research groups around the world have been working to develop automated robot systems that could use electrocardiograms (ECGs) as a biometric.  They used methods that involved finding very specific points on the wave and looking at relative measures between those points. It’s very unreliable," said Martin "The method at the University of Toronto looked at the overall shape and was not as sensitive to things like noise, which you see in real life. By looking at the overall shape and unique algorithms to extract those features, it was found that you could have a relatively reliable way to recognize people using a real world ECG signal."

Nymi uses an embedded electrocardiogram (ECG) sensor to recognize the unique cardiac rhythm of users. This ECG sensor is able to match the wearer’s ECG against a stored profile in order to authenticate the wearer’s identity. If the heartbeats match, you’re good to go. An NFC chip inside the wristband will make it possible to communicate wirelessly with payment terminals, while the ECG sensor will make it possible to authenticate users.

Recently MasterCard has revealed that it is launching a test of a biometric wristband that authenticates an individual's identity for payment card transactions by monitoring their heartbeat. Bynym have further confirmed the pilot with  MasterCard and RBC along with other paying banks. The pilot roll-out would be geographically restricted to Canada. Why Canada? it seems, just 10% cash based transactions happens there!

Adoption by payment industry and banks, where fool-proof identification and authentication is critical, is a path-breaker. Other industries are likely to open up and embrace the technology very soon.

Although other promising biometric technologies and companies have made  grant-entrances in the security industry only to fade away within brief time. finger print based authentication remained for so long - more than 100 years. With recent innovations like Apple's TouchID, Fingerprint reigns supreme as the premier way to authenticate digital devices. Finger print has been proven as very reliable authentication method. It’s a no-brainier that why companies such as Apple have embraced fingerprint authentication for digital devices for security purposes.

So how's Heartbeat is going to compete with 'reigning star' Fingerprint and who will be the ultimate winner? will have to wait for an a definite answer. However, I have a gut feeling that it will be Heart who will win over Finger, ultimately.

The security v/s convenience dilemma is  one of the biggest challenges facing information security for long time. Any technology, which can strike a right balance between these two, could be the instant winner. In  nymi's November 2013 white paper They claim to have achieved, exactly the same.  "The security feature derives from the fact that a user’s ECG cannot be lifted or captured without a person’s consent. Contrast that to fingerprints, which leave behind “latent samples” (i.e. smudges) that can be replicated or forged. The ECG sensor is internal, meaning that it’s much harder to capture a user’s identity".

In terms of convenience, when users first strap on the device, they'll use Nymi Companion App(NCA) utilised by users to establish their identity on first use (enrollment) and for authentication on subsequent uses. Once the a wearer is authenticated, they remain authenticated as long as the device is worn by the same person.  The wearer can then identify themselves with Nymi Enabled Applications (NEAs) without the need for other credentials such as passwords. Moreover, the ECG sensor is able to collect a signal continuously until it finds a match, which solves the problem of having to replace your finger on a device if it does not read it correctly the first time around. Just think of the numerous times each day we’re asked to authenticate things around us with passwords. And now that mobile payments are becoming mainstream, just think of how many times we will be asked to authenticate these transactions each day. In fact, according to a recent JWT report on the future of payments   there will be 471 million global biometrics smartphone users by 2017. That’s a huge potential market.

 Because the Nymi is wearable, Martin said that identity can be communicated wirelessly in a simpler, and more convenient way than what’s previously been available."The person only has to do something when they put the device on, so they put it on, they become authenticated and then they can essentially forget about it," he added. "We’ve had a somewhat consumer focus because we are very focused on a convenient user experience, but we found that we actually were able to achieve almost that Holy Grail, which is convenience plus security." Martin believes that the company’s technology will be applicable to both physical and logical access control. In addition to authenticated identity and proximity, Martin said that the company is also delivering motion capabilities in this new solution. "There is an embedded motion sensor which will allow for simple gesture recognition and that’s a way for a user to indicate their intent," said Martin. "Do I want to unlock physical doors or not when I’m there? Do I want to unlock the front door of a car versus the trunk of a car?"

If the device can authenticate from remotely stored, central database of profiles, we have the winner. That's why even Apple is considering Heartbeat for  Apple watch, which may not be affordable to everyone. Hopefully, soon it should be available on popular and affordable wearable like Motorala Moto360, the one which currently I own.

The million-dollar question for any new authentication device, however, is what's to keep it from being hacked? Nymi has yet to undergo any type of formal information security audit, reported Ars Technica. One potential security vulnerability is that authentication information relayed by the device might be intercepted, potentially allowing attackers to "replay" a transmitted authentication token at a later date, a method known as eavesdropping. But Martin told Ars Technica that the device uses elliptical curve cryptography to prevent eavesdropping. In addition, he said, systems interacting with the device -- such as your car -- could be designed to send one-time challenges that the device would have to successfully decrypt and respond to, thus further crippling the would-be eavesdroppers.

In another potential security risk scenario, an attacker might boost the signal being sent to the device, thus extending its range to make the wearer appear to be near to any system an attacker wanted to unlock. However, the proximity detection capabilities built into Nymi might mitigate this vulnerability.

Finally, important factor of any successful hardware technology is the availability of apps. For this, Nymi has to capture the imagination of developers.   Bionym has released software development kit (SDK) and API, launched a Developer's Portal North American developers can even order for Nymi band discovery kit. Developers from other countries have to wait few months.

So, whom are you betting with, Fingerprint or Heartbeat?