Could Heartbeats Replace Passwords?

September 26, 2013

Passwords, the de facto authenticators, represent a serious security weakness for a number of reasons, chief among those is that humans quite simply tend to create bad passwords in order to remember them more easily. Therein lies the problem: good passwords are hard to guess but hard to remember; bad passwords are easy to remember and easy to guess as well. For years, replacing the password with something simpler and more secure has been a priority in the security industry, and despite a deluge whacky biometric indicators and other science fiction-inspired ideas, nearly everyone uses passwords to log on to their various devices and to login online.


As it turns out, the heart beating in our chests contains in its right atrium a bundle of nerve cells and synapses known as the cardiac pacemaker. The cardiac pacemaker emits electrical impulses that cause the human heart to beat. These electrical impulses and the heart rhythm they produce can be measured by an electrocardiograph, creating a reading called an electrocardiogram (ECG). These ECGs – if measured with enough precision – are uniquely identifiable. So like a fingerprint, no two human beings produce the same electrocardiogram, a promising reality for proponents biometric authentication.

A company called Bionym is the newest participant in the contest to replace passwords as it continues development on a new wearable device that will measure the ECG of its wearers. Bionym claims the device can reliably differentiate one ECG from another, even in cases where the heart is beating faster or more slowly than it normally would.

Their device is called Nymi, and it wears like a wristwatch but contains two electrodes: one making contact with a user’s wrist, and another on the opposite side. When a user touches his or her fingertip to the second electrode (the one not touching the wrist), a circuit is established and the user’s heart rhythm is monitored, producing an ECG. This ECG is then analyzed by a piece of software developed by Bionym and packaged with Nymi as an application.

“We perform signal processing to extract unique features expressed in the overall shape of the wave,” a Bionym spokesperson told our friends at Threatpost in an email interview. “We match against those features, not the raw signal.”

One of the few strengths of passwords, after all, is that you can change them whenever the need arises.

The app will then authenticate a user for any devices that the Nymi is programmed to work with. Bionym plans to launch the device sometime in 2014. They are currently in the process of collaborating with developers so that when the device does launch, it will be compatible with as many devices as possible.

Karl Martin and Foteini Agrafioti, both researchers and biometric experts from the University of Toronto, founded Bionym. They may be among the first to produce a wearable device capable of monitoring a biometric indicator for authentication purposes, but they are not the first people to come up with the idea in theory.

Bruce Tognazzini, a usability engineer and human-computer interaction expert, penned an extensive article on his personal blog earlier this year arguing that – in order to be successful – Apple’s mythed iWatch must be an authentication mechanism in addition to whatever else it is capable of. He suggested biometric measures as the best baseline authenticator.

Beyond that, it seems that not a month goes by where we don’t hear about some new and seemingly out-there biometric that could potentially replace passwords. Most notably, of course, is the Touch ID sensor on Apple’s iPhone 5S. Within a week of Apple announcing that its high-end iPhone 5S would ship with a built-in fingerprint scanner, security hobbyists and professions began pooling their funds, offering a bounty for the first hacker that could bypass Touch ID. As of right now, some four days after the contest started in earnest, Germany’s renowned Chaos Computer Club seems to have won. Whether or not the pledgers pay up is beside the point, because the CCC’s work here gets at a deeper question: are biometrics really the cure for replacing passwords?

Obviously it’s far too early to ditch the idea of biometrics altogether, but the CCC wanted to show – and believes it has shown – that fingerprint scanners, which have been known to be vulnerable for years, are not the answer.

“We hope that this finally puts to rest the illusions people have about fingerprint biometrics. It is plain stupid to use something that you can´t change and that you leave everywhere every day as a security token”, said Frank Rieger, a spokesperson for the CCC. “The public should no longer be fooled by the biometrics industry with false security claims. Biometrics is fundamentally a technology designed for oppression and control, not for securing everyday device access.”

The CCC has a pretty clear-cut view that biometrics are bad. Only time will tell if they are right about biometrics in general, we certainly haven’t seen any of these measures take off in any meaningful way for authentication yet, but the truly great point from the CCC is this: the fingerprint scanner is a bad idea because our fingerprints are largely unchangeable and we leave them everywhere we go and on everything we touch. A heartbeat-based biometric is slightly better because you don’t leave it everywhere, but it – like all biometrics – is suspect because it is static. One of the few strengths of passwords, after all, is that you can change them whenever the need arises.