When it comes to passwords, there are so many things to worry about. At Naked Security, we’ve talked about a lot of them.
How long or complex they need to be, the bad choices people make when choosing them (think pets’ names), why passwords shouldn’t be reused, how they should be recorded and stored, and how easily they can be cracked.
But we also keep tabs on interesting new authentication means that could well promise a future without PINs, passwords, password managers, or memorable phrases.
Some of them sound like they’re straight out of science fiction: think biostamps and swallowable dongles, facial recognition and even individuals’ heartbeats, which are unique to every one of us.
In fact, researchers have proposed that it’s time to start thinking of our hearts as random number generators that can serve as passwords to secure medical devices that are otherwise vulnerable to hacking.
Indeed, our beating hearts could someday be a viable alternative to the easily guessable, completely hackable security questions that are now used to supposedly verify that we are, indeed, who we say we are.
That new world of heartbeats-as-authenticators instead of passwords may be right around the corner, given that it’s now being trialed by a high-street bank in the UK.
As The Guardian reports, that bank, Halifax, is testing electronic wristbands that use customers’ heartbeats to verify their identities in an effort to keep online accounts from being raided.
The technology would obviate the need to remember a password or rely on password managers to do it for you.
It relies on the Nymi Band, a wristband that measures heart rhythms to check who we are, connects to our devices via Bluetooth, and passes on that confirmation.
This is how it works, according to the BBC’s Simon Gompertz:
- First, a user needs to record his or her heartbeat pattern, in the form of an ECG (electrocardiogram). The ECG is then stored on the wristband.
- The wristband is worn on one arm. It needs to be paired with the user’s mobile phone, probably every day.
- The user opens the mobile banking app.
- Using Bluetooth, the app finds the wristband.
- Using his or her other hand, the user taps a sensor on top of the wristband.
- Another set of sensors detects whether the user is still wearing the band and shuts the device down if his or her heartbeat isn’t recognised.
Halifax says that the technology beats fingerprints or iris scans because heartbeats can’t be faked.
The same can’t be said of fingerprint recognition in the Samsung Galaxy S5 and the iPhone 5s and with retina scans foiled by digital images of an eye.
Halifax, owned by Lloyds Banking Group, says an ECG is a “vital signal of the body and as such, naturally provides strong protection against intrusions and falsification.”
The Guardian quotes a spokeswoman:
You could fake someone’s fingerprint, but you can’t fake someone’s heartbeat.
The bank is asking some customers who come into its branches to try out the new wristbands when they log into their bank accounts on a mobile phone or computer.
As Naked Security pointed out when we first wrote about Nymi in September 2013, these devices are fairly low-cost, with pre-orders back then set at less than $80 (around £55).
Would governments ever move to adopt these for citizen identification? Would there be any difference between a heartbeat identification gizmo and getting a RFID chip embedded in our forearms?
That thinking’s a bit far out, of course. For now, we’re just talking about authentication for online banking.
Would you wear one?
10 comments on “Bank tests heartbeat-encoded wristbands for online authentication”
Seems like a significant amount of inconvenience (wearing the device and having to pair it every time), but it’s simply measuring your radial pulse, not ECG and given the normal variation for a person in this, it doesn’t immediately sound like it would be possible to differentiate reliably between different people.
Especially anyone over 65. A-fib means “no two beats alike.”
I concur with Alan Henness’ earlier reply and would add that not only is a pulse rate not unique to a person, it is easily changed. Resting vs active. Stressed vs relaxed. You can even manipulate it just by hyperventilating. This is the first article that I’ve seen over the course of my research on biometrics over the past several years that suggests “pulse” should be used as way to uniquely authenticate an individual.
well at least it stops someone forcing you to give up your password at gunpoint due to the erratic bpm of your pulse. How easy is it to log on when you’re stressed I wonder?
What about those persons that do not have a mobile phone and do not want one. I know a numbers of persons in this postion.
And when this data gets ripped off – like all data is eventually – you cannot simply make up another one like a password. That is the fatal flaw with biometric information.
Ironically…when you find out your heart data has been stolen, you’ll probably be apoplectic enough that your sensor will reject you and therefore you won’t be able to login yourself and do anything about it 🙂
I’m going to assume for the sake of argument that Nymi Band worked out a way to reliably differentiate people this way, because otherwise building and marketing the band makes no sense (which doesn’t meant hey didn’t do it anyway, I know). However, they claim that “you can’t fake someone’s heartbeat” is absurd. The band is recording something analog, converting it to digital, and comparing it to a digitally stored ECG. The definition of digital is something that’s perfectly reproducible. Therefore, there’s a way to record it, and therefore there’s a way to exploit it.
It might be better than passwords, but it’s still vulnerable. Unfortunately, that’s the Catch-22 of digital security at all. It has to be something it’s not to be the thing you want, but the thing you want is impossible to be the thing you need.
I have a developers unit on my desk, and have worked with the drivers provided with the device. It functions very reliably in logging in to a locked PC, and promises to be a good platform as an authentication factor. With additional development, I am confident that the Nymi technology will be well received.
My only issue is the wrist band needs to be extended by about a half cm.
As a Developer I have been working with Biometrics for quite a few years. I purchased one of these devices recently for testing and possibly using in the workplace. I do not want to disparage anyone, but so far I am less than impressed.