Biometrics have been used successful to identify and authentic individuals for sometime now in several areas like granting access to offices, vaults, laptops, and secure locations. Application of biometrics in our daily gadgets like smartphones and tablets has not been as successful though. Samsung Galaxy S III came up with an authentication option of using one’s face, or voice, or face-voice combination to log in. I personally locked my phone using my face but persons with similar facial configuration were able to log in, easily.
Today it is rumored that iPhone 5S will have a fingerprint scanner at the home button. This is one of the most hyped feature of the upcoming iPhone that would give the iPhone the wow factor of the year in the smartphone world. However the use of fingerprints for authentication would still face usability challenges as fingerprinting alongside face and iris have three main shortcomings as identified in Biometrics: Theory, Methods, and Applications namely 1. credentials can be forged, 2. standoff range for acquisition is short and 3. biometric credentials cannot be re-issued (e.g. as done with forgotten passwords). The same book offers heartbeat as the most suitable alternative to the traditional biometrics. Further the book explains that the heartbeat would be measured using three sensors that rely on electrical potential, sound, and reflection/absorption of light. The three ensure “password” security as they can be collected only from a living individual, an intruder must mask his/her body signals and simultaneously emanate the heartbeat of the target across electrical potential, sound, and light.
So Bionym has developed a device that will allow smartphones and similar gadgets to identify the owner at close range (Click to see how). The gadget codenamed Nymi that functions by monitoring heartbeats using electrocardiogram (ECG) technology promises to offer “complete security without compromising convenience.” According the description offered by Bionym, Nymi’s convenience is rooted to the fact that “a user only needs to validate their identity once, until the Nymi is removed. The closed loop keeps the Nymi in an authenticated state, removing all need for repeated prompts (such as in fingerprint scanning or PIN requests)”. On the other hand, Nymi’s promises secure operation as it requires a 3-Factor system for authentication; 1. To access the Nymi you must first have possession of the wristband. 2. You must possess your unique heart rhythm, and 3. You must have access to the secure application on a registered smartphone. Nymi would then transmit the user’s authentic credentials to the gadget of interest e.g. smartphone via Bluetooth. As or the potential of Nymi, it is projected that it can revolutionize “banking, gaming, smartphones, social media, exercise, dining and so much more”.
Indeed the heartbeat based password sounds credible that if it is successful implemented then a major worry for Internet users shall forever be solved. The Internet has forced us to use so many passwords for different websites and applications for security purposes that forgetting a password has become a norm rather than an exception. Also we are faced with the reality of hackers and security agents (NSA in particular) who are continually prying on what we do online. Actually the news of NSA being able to decrypt phone and online communications has sent shivers across the globe with many being worried on what the NSA knows about them. According to those familiar on the workings of ECG, Nymi is a secure authentication tool that is ready to be deployed, unlike some futuristic biometric mechanisms.
Even though Nymi promises to offer a more secure and convenient authentication protocol, it also faces a number of shortcomings. First is the software for identifying users won’t be as secure as that for identifying fingerprints. This is because Nymi will have to tolerate variations on heartbeat as an individual’s heartbeat varies by the day and age. Secondly Nymi is not 100% secure against hacking. Arstechnica.com describes potential hacking methods as 1. a hacker being able to tap a person’s heartbeat and obtain his/her bracelet 2. ability to capture the data sent by the bracelet to the gadget of interest, and 3. relaying the signal when used to access one gadget in order to gain access to another gadget nearby. Biometrics: Theory, Methods, and Applications noted the first method as quite a difficult task to accomplish.
Another challenge that has been identified is on the area of convenience. What happens when you lose the bracelet? Do you get locked out of your smartphone, car, etc? How safe and convenient will be the fallback option before you get a new bracelet? My suggestion is that all devices that need authentication to access should come pre-installed with ECG technology for identifying users on touch. This will eliminate the need to carry a separate device for authentication purposes. Actually heartbeat monitor can and should be integrated with fingerprinting for double verification. If you forge my fingerprint, then your heartbeat will not allow you access. Currently apps like Instant Heart Rate are able to register your beat using your phone’s camera.
Nymi is currently available on pre-order and is said to go mainstream commercial next year for about $99 (Kshs. 8500). What are your thoughts; is Nymi better than fingerprinting? Should future smart devices consider integrating Nymi’s functionality into the core hardware and OS of the devices?
Here are two interesting comments regarding Nymi:
Jedakiah This seems pointless. If you have to carry around a special device as your password, it does not need to monitor your heart to contain a random ID. It could simply generate a few thousand random bits and use that instead. Even better, it could generate a unique ID for each service and store those within an internal database, making it so that man in the middlesque attacks can only compromise one service at a time. Best of all, you can regenerate stolen passwords. You would probably be able to do all that using less battery power than an ECG reader, it would log you in quicker, and I would imagine be even cheaper to build. – This is the sort of software that I imagine will reign supreme in the wearable computing world.
mtngoat All sorts of opportunity for privacy loss since this is not a voluntary act. Sleeping at night, your roommate puts a couple leads on you and has access to all your ***. Hold onto the pole on the train and don’t notice the wire recording your electrical impulses. If poles can be hacked, then think of the risk for strippers. Doesn’t anybody think of the strippers!