Fingerprint readers. Face Unlock. Retinal scanners. They're all no better than your average password, at least the way Dr. Karl Martin sees it. "Your face, your iris — they're all physical features that can be stolen, that you leave everywhere."
Luckily, Dr. Martin has a better idea. He's planning to use it to open everything from our phones to our front doors, and even move the car seat exactly how we want it. All we have to do is wear a bracelet.
Martin's startup, Bionym, is going public with its first device, the Nymi, after research and development that goes back more than 10 years. It centers on a person's electrocardiogram, a measure not of your heart rate but of the electrical activity generated by your heart. A person's ECG is dependent on the size, position, and physiology of their heart, and it's completely unique to every person. It's as unique to you as your fingerprint, and unlike your fingerprint you're not leaving your ECG on glasses or windows or cell phones everywhere you go. That ECG is what Bionym uses to identify you as you.
The Nymi itself is a bracelet, virtually indistinguishable from the Fitbit Flex or the Jawbone Up. When you put it on, you tap it with your opposite hand to create a full circuit and give the Nymi the measurement it needs. From then on, it's constantly authenticating — that you're the person wearing the device, that you're wearing the right device, and that you're connecting it to the right smartphone or tablet. The Nymi's always making sure you are who you say you are, and is telling everything around you whether you're right or not. (Its ability to tell other devices who you are could also enable remarkably personalized advertising, a slightly more worrisome use of the technology.)
Nymi knows who you are, and where you are
It's also full of sensors that tell certain devices how far away you are; someone else can't open your phone from across the room. But you can unlock your phone without a password, because it'll know you're holding it. The Nymi's authentication is so good and so trustworthy that Martin hopes it will be used for payments, passwords, even your car and house doors. Imagine sitting down at your computer and never needing a password, but knowing that when you walk away your logins go with you.
Martin says the Nymi doesn't even have to be a bracelet. "It could be a ring, a necklace, a waistband, anything. The wristband is just the first idea. We'll see what people want to do." All a Bionym device needs, he says, is a mechanism like a clasp to make it clear it's been taken off. That's just one of many security safeguards that come with the Nymi: it won't work if it's not paired with the right device, or if you're not wearing the right bracelet. It also offers "liveness detection," which means your captors can't just rip your heart out and hack your computer with it. "The unique thing about the ECG," Martin says, "is that it's being produced inside your body."
The Nymi's most obvious role is in obviating your passwords, which Martin says is a problem long begging for a solution. "For me, passwords are the worst thing ever... before the Nymi I'm using a password manager. But then on my mobile device, it doesn't work — I have to copy the password, and switch. It's terrible." The Google- and PayPal-backed FIDO Alliance has made some headway solving the problem, but many of its current solutions still rely on USB sticks and fingerprint readers. The Nymi promises to be both more secure and more elegant, and would be a welcome addition for FIDO; FIDO would also provide Bionym with massive interoperability, and is one of the partners Martin talked eagerly about.
Identity is about much more than just passwords and credit card numbers
But Martin has bigger plans. "We're really interested in how to create hyper-personalized experiences," he tells me, which includes everything from setting the ambient temperature when you walk into a room to remembering your particular settings on the washing machine. Couple that with the rudimentary gesture recognition in the bracelet, and Martin doesn't sound so crazy when he says we'll be able to unlock our car, open its trunk, and start playing our favorite radio station with just one flick of our wrist.
For now, Martin and Bionym are courting developers large and small to build apps and devices that use its method of authentication. "If you think of any of the top mobile manufacturers," he tells me, "we are most likely engaged with them. They saw this was a huge additive value to what they do." The Nymi is scheduled to come out sometime next year, and will cost $99. It's not the first product to read a person's ECG — it's used on a few devices in the medical community — but it's the first that promises to do it well and for everyday people.
It can only replace passwords if it works everywhere you need it
Bionym's challenge is gaining enough trust and support for its product; unless it's ubiquitous, it's doomed. Martin doesn't sound worried — he's more like impatient. "I've got keys in my pocket, and they're scratching whatever else is in my pocket. I want to go home and my door is unlocked and that's it." Even if it's not his product that does it, Martin believes he's on the front lines solving a huge problem both for oft-hacked companies like Google and for everyday people.
"Do you think 100 years from now we're going to be doing this? We're going to have to remember all our passwords, carry our stupid keys around? I hope not."