Bank tests heartbeat-encoded wristbands for online authentication

UK bank tests heartbeat-encoded wristbands for online authentication

Nymi BandWhen it comes to passwords, there are so many things to worry about. At Naked Security, we’ve talked about a lot of them.

How long or complex they need to be, the bad choices people make when choosing them (think pets’ names), why passwords shouldn’t be reused, how they should be recorded and stored, and how easily they can be cracked.

But we also keep tabs on interesting new authentication means that could well promise a future without PINs, passwords, password managers, or memorable phrases.

Some of them sound like they’re straight out of science fiction: think biostamps and swallowable dongles, facial recognition and even individuals’ heartbeats, which are unique to every one of us.

In fact, researchers have proposed that it’s time to start thinking of our hearts as random number generators that can serve as passwords to secure medical devices that are otherwise vulnerable to hacking.

Indeed, our beating hearts could someday be a viable alternative to the easily guessable, completely hackable security questions that are now used to supposedly verify that we are, indeed, who we say we are.

That new world of heartbeats-as-authenticators instead of passwords may be right around the corner, given that it’s now being trialed by a high-street bank in the UK.

As The Guardian reports, that bank, Halifax, is testing electronic wristbands that use customers’ heartbeats to verify their identities in an effort to keep online accounts from being raided.

The technology would obviate the need to remember a password or rely on password managers to do it for you.

It relies on the Nymi Band, a wristband that measures heart rhythms to check who we are, connects to our devices via Bluetooth, and passes on that confirmation.

This is how it works, according to the BBC’s Simon Gompertz:

  1. First, a user needs to record his or her heartbeat pattern, in the form of an ECG (electrocardiogram). The ECG is then stored on the wristband.
  2. The wristband is worn on one arm. It needs to be paired with the user’s mobile phone, probably every day.
  3. The user opens the mobile banking app.
  4. Using Bluetooth, the app finds the wristband.
  5. Using his or her other hand, the user taps a sensor on top of the wristband.
  6. Another set of sensors detects whether the user is still wearing the band and shuts the device down if his or her heartbeat isn’t recognised.

Halifax says that the technology beats fingerprints or iris scans because heartbeats can’t be faked.

The same can’t be said of fingerprint recognition in the Samsung Galaxy S5 and the iPhone 5s and with retina scans foiled by digital images of an eye.

Halifax, owned by Lloyds Banking Group, says an ECG is a “vital signal of the body and as such, naturally provides strong protection against intrusions and falsification.”

The Guardian quotes a spokeswoman:

You could fake someone’s fingerprint, but you can’t fake someone’s heartbeat.

The bank is asking some customers who come into its branches to try out the new wristbands when they log into their bank accounts on a mobile phone or computer.

As Naked Security pointed out when we first wrote about Nymi in September 2013, these devices are fairly low-cost, with pre-orders back then set at less than $80 (around £55).

Would governments ever move to adopt these for citizen identification? Would there be any difference between a heartbeat identification gizmo and getting a RFID chip embedded in our forearms?

That thinking’s a bit far out, of course. For now, we’re just talking about authentication for online banking.

Would you wear one?