Passwords could be passé if this Toronto-based startup has its way. Bionym, which was founded in 2011 and closed a $1.4 million (CAD) seed round last month, has devised a biometric recognition system in the form of a wearable wristband — called Nymi, just launched as a pre-order for $79 for early 2014 shipping.
The wristband relies on authenticating identity by matching the overall shape of the user’s heartwave (captured via an electrocardiogram sensor). Unlike other biotech authentication methods — like fingerprint scanning and iris-/facial-recognition tech — the system doesn’t require the user to authenticate every time they want to unlock something. Because it’s a wearable device, the system sustains authentication so long as the wearer keeps the wristband on.
To authenticate via Nymi, the user puts the wristband on and touches a topside sensor with one hand to complete an electrical loop with the bottom-side sensor touching their wrist. That generates the ECG data used to authenticate their identity, and the wristband transmits the ECG (via Bluetooth) to the corresponding registered app, on a smartphone or other device in proximity to the user, to verify the wearer is who they say they are.
Bionym says Nymi is a three-factor security system, being as multiple pieces have to be in place for authentication to be achieved. However the system skips some ongoing hassle of multi-factor systems by maintaining an authenticated state and only requiring the user to offer up their biometric data once per day (or however often they remove the wristband).
As well as an ECG sensor and Bluetooth low energy for transmitting data, the wristband contains a gyroscope and accelerometer so it can support gesture unlocking scenarios, too (it has 6-axis motion sensing) — so you could use a particular wrist twist to unlock a car door, for instance. That sort of scenario will depend mostly on third party developers getting involved and building out an app ecosystem around the device. Bionym is releasing an API that will be open source so it’s hoping to attract broad interest.
Proximity is another parameter developers could build into unlocking scenarios — a payments application would make sense to require the wristband to be in close proximity to a reader to confirm a transaction, for instance, whereas a smart TV might want to configure a profile to a particular user when they walk into the room.
The wristband device itself could also be used for health/activity tracking, says CEO and co-founder Karl Martin. “We will support basic gestures ourselves, and we will also give access to the motion information for other uses. For example, people might want to use it for activity tracking, in addition to the gestures,” he tells TechCrunch.
The Nymi device will include a battery to power the data capture and transfers — which Martin said will support about a week’s use between charges. The corresponding Nymi app will let users create custom notifications if they so desire, so they could configure the app to alert them to new emails or messages when they authenticate the device in the morning. The app will be available on iOS, Android, Windows and Mac OSX initially. An open-source SDK will allow for developers to port support to other platforms.
Bionym, which was originally spun out of the University of Toronto (where Martin got his Ph.D.), claims it doesn’t have any “real direct competitors” for the specific functionality it’s offering.
“We don’t view this as just a product to unlock your devices, smartphones, etc. Those are security applications. We’re looking beyond that to smart environments. How do we enable hyper-personalised experience? These are all applications of identity. Security is one application but not the only one, and as far as I know nobody else is doing that,” says Martin.
There’s no doubt plenty of others are eyeing up the password-alternative space, though. Google is one and is part of the FIDO Alliance that’s seeking to come up with a new framework for digital authentication. Anyone who can crack the ‘passwords are broken’ problem with a robust, low-friction alternative is clearly in for a very lucrative ride.
Add to that, there’s potential for capturing extremely granular user data if users are required to wear a sensor at all times when accessing their gadgets and services. However Martin stresses that Nymi is building in privacy “by design,” as well as security — with a hardware-secure element where the user’s ECG data is cryptographically stored and which — crucially — other applications will require user permission to access.
“We have a cryptographic chip on the wristband,” he notes. “We’re not just depending on software, we have hardware-based cryptography there. It … allows that communication to be encrypted. It doesn’t just depend on just the Bluetooth standard which has some weaknesses.
“When it’s transmitting your identity… to your devices around you you don’t want anybody to know that it’s you unless you opt in, you don’t want to be tracked, you don’t want somebody, say, a Bluetooth scanner to know when you’re around so we encrypt that information so that it becomes opt in. Nobody can know that it’s you without your permission.”
Using hardware-based cryptography also allows the Nymi to bolster its defences against identity spoofing attacks. “If your identity is essentially a long binary string, can’t somebody just copy that and retransmit it? And the answer to that is we digitally sign all the data coming off the wristband so that it’s impossible for anybody to spoof that data and essentially steal your identity,” he adds.
So what will Nymi offer its early adopters? At launch, in the beginning of 2014, it will support built in device unlocking capabilities, and be supported by a range of third party apps, says Martin.
“We’re going to be working very closely with developers this fall,” he says. “We already have lots of developers signed up for that. So we’re going to be ourselves offering basic capabilities ourselves for unlocking personal devices and computers. And then at the same time we are engaged with several companies that make consumer electronic products… that’s going on behind the scenes. And then there are third party developers — and we’re going to be all about nurturing that to happen so that by the time we launch there will definitely be some high quality third party applications.”
Looking ahead, the grand vision is surely for a password-less future, based on authentication via wearable biometrics. That’s a ways off, right now though, as Martin concedes. “The goal is not to simply manage passwords, the goal is to replace passwords,” he says. “That being said it obviously takes time for these things to be adopted in a ubiquitous way so we are looking at some intermediate solutions to integrate with password managers, things like that.
“Part of our launch right now is to see what are the kinds of integrations people want the most… We want to get people’s ideas for what the vision for this kind of a product is so we can focus on that.”