Watch-Like Heartbeat Monitor Seeks to Replace Passwords

Researchers have developed a wearable device that measures electrocardiogram readings, which are unique to every person, that the researchers hope could be used as an alternative to passwords for authentication.

The heart beating in our chests contains in its right atrium a bundle of nerve cells and synapses known as the cardiac pacemaker. The cardiac pacemaker emits electrical impulses that cause the human heart to beat. These electrical impulses and the heart rhythm they produce can be measured by an electrocardiograph, creating a reading called an electrocardiogram (ECG). These ECGs – if measured with enough precision – are uniquely identifiable. So like a fingerprint, no two human beings produce the same electrocardiogram, a promising reality for makers and proponents biometric authentication.

Passwords, the de facto authenticators, represent a serious security weakness for a number of reasons, chief among those is that humans quite simply tend to create bad passwords in order to remember them more easily. Therein lies the problem: good passwords are hard to guess and hard to remember; bad passwords are easy to remember but easy to guess as well. For years, replacing the password with something simpler and more secure has been a priority in the security industry, and despite a deluge whacky biometric indicators and other science fiction-inspired ideas, nearly everyone uses passwords to log on to their various devices and to login online.

A company called Bionym is the newest participant in the contest to replace passwords as it continues development on a new wearable device that will measure the ECG of its wearers. Bionym claims the device can reliably differentiate one ECG from another, even in cases where the heart is beating faster or more slowly than it normally would.

Their device is called Nymi, and it wears like a wristwatch but contains two electrodes: one making contact with a user’s wrist, and the other on the opposite side. When a user touches his or her fingertip to the second electrode (the one not touching the wrist), a circuit is established and the user’s heart rhythm is monitored, producing an ECG. This ECG is then analyzed by a piece of software developed by Bionym and packaged with Nymi as an application.

“We perform signal processing to extract unique features expressed in the overall shape of the wave,” a Bionym spokesperson told Threatpost in an email interview. “We match against those features, not the raw signal.”

The app will then authenticate a user for any devices that the Nymi is programmed to work with. Bionym plans to launch the device sometime in 2014. They are currently in the process of collaborating with developers so that when the device does launch, it will be compatible with as many devices as possible.

Karl Martin and Foteini Agrafioti, both researchers and biometric experts from the University of Toronto, founded Bionym. They may be among the first to produce a wearable device capable of monitoring a biometric indicator for authentication purposes, but they are not the first people to come up with the idea in theory.

Bruce Tognazzini, a usability engineer and human-computer interaction expert, penned an extensive article on his personal blog earlier this year arguing that – in order to be successful – Apple’s mythed iWatch must be an authentication mechanism in addition to whatever else it is capable of. He suggested biometric measures as the best baseline authenticator.

Suggested articles


  • Randy on

    Sheesh. Massive assumptions here, by the vendor and security community (as well as the writer): 1. The claim of uniqueness is valid. How was uniqueness tested, and what was the sample size? Or is this an unsupported claim by the vendor? 2. The device is sensitive enough to support uniqueness. The analog signal (ECG) is converted to digital, and in the process data is thrown away. Unless the conversion and data point mapping is exposed we only have the vendor's assertion to rely on. Can the signal be spoofed? I can think of a couple ways it might be and I'm no kind of security expert. 3. Physical changes. ECGs are not static over time. A minor event is likely to cause a lockout, and with an aging population that becomes increasingly likely. Biometrics have been a fond hope for security, but the problems with commercialization and conceptualization leave it wanting.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.