Bionym, a startup from the University of Toronto, is looking to banish password woes with a bracelet that handles authentication by monitoring your heartbeat. nymi Password that's closer to wristy than handy The Nymi device uses electrocardiogram (ECG) sensors in the top and bottom of the bracelet to build up a unique …
Does it still work after you've been out jogging. Or had sex. Or smoked a joint. Or performed any other heartbeat-affecting action?
Uses heart beat to generate passkey?
Correct me if I'm wrong but couldn't you replace a user's band while they're in the shower to a hacked one that remembers the beat and swap back the next day. Suddenly you have full access.
Like all biometric systems, if it gets hacked, you can't change your eyes/finger prints/ heart beat like you can a password or security token.
Which is more practical. Guessing a password from miles away, or sneaking in to someones house at just the right time to steal their password bracelet.
It looks at waveform SHAPE, not rate. And if you have a heart attack, the device (if your using the right software) will be able to inform you of subtle changes in your EKG, before it gets to that. Not to mention, it could call the doctor for you if it sees classic signs of heart attack behavior.
If you are tall and old, mild exercise causes the wave form shape to change to something more efficient before/instead of an increase in heart rate. Heart rate can be measured remotely by Doppler radar. Give it a year, and there will be an app for that.
"Which is more practical. Guessing a password from miles away, or sneaking in to someones house at just the right time to steal their password bracelet."
No different to breaking in to steal a security token only they can't go out and get a new heartbeat.
Not just sneak in and steal it - sneak in, swap it with another one, then sneak back in and swap it back without the owner being aware that anything is amiss. Seems *much* harder than guessing a password from afar or even stealing a security token.
"Not just sneak in and steal it - sneak in, swap it with another one, then sneak back in and swap it back without the owner being aware that anything is amiss. Seems *much* harder than guessing a password from afar or even stealing a security token."
Well what happens if you steal a token? As soon as the owner notices, they ring up and cancel the token.
You can't ring up and cancel your heart...
To steal someone heartbeat wouldn't be that hard anyway for someone determined. Anything they touch could be bugged to pull their heartbeat be it their chair, mouse, exercise bike etc. No different to stealing someone's fingerprints.
Class 2 BlueTooth has a range of 5-10 metres, if enough of these get into use it will be worth somebody's time to figure out a way of hacking and cloning these devices.
Unlike RFID smart cards and passports as mentioned above your biometrics are not renewable.
As with designing any product, looking at/for it's downsides and addressing those is as important as it's potential benefits, I'm sure MS could give some advice on that score.
Heartbeat waveforms are *very* odd
They are nothing like the sort of thing you'd see in electrical systems (unless they are faulty electrical systems).
And BTW you're heart going into MI is not subtle.
Clever tech (and the other sensors make it sound like a good exercise and body health monitor) but otherwise....
Re: Heartbeat waveforms are *very* odd
I'm clearly missing something here. Biometrics is about using aspects of the person that *don't* change much, or only very slowly. All the aspects of the heart's regulatory mechanism are prone to rapid change uncontrollable by the individual (at least, that was accepted wisdom when I did cardiac anatomy and physiology a couple of decades ago). This just looks like a system designed to fail at the important moments - like fingerprint readers on laptops failing to authenticate just before a presentation because the presenter is nervous and has cold, sweaty fingers.
What exactly does it do?
As the description in El Reg reads, this is not really a biometric ID, as you will never be able to reproduce that value yourself ever again - it's just a sexed-up really-hot-cup-of-tea to generate a suitably random number that is used from then-on (i.e. "once it has been established").
Re: What exactly does it do?
I don't understand this either, this bracelet only generates One Password for everthing or does it generate different passwords for different programs. How is the username catered for , or multiple accounts , or password changes, or forgotten passwords, or hacked passwords etc....
Re: What exactly does it do?
Yes, I'm confused, too, especially since it refers to "continuous verification" (or similar term - I'm not going back to that really smug video to check), implying that there is some active component to the whole thing.*
*Which raises a different issue - sometimes I want to be near my gadgets without actually being logged on to them (think mobile phone lock screen). If this type of "one token for all" idea is to take off, it would need a lot of fine-grain control before I even thought about adopting it (and still probably wouldn't - security in depth).
Re: What exactly does it do?
"especially since it refers to "continuous verification"
That, or something very like it, I think.
Which strikes me as being one of its weaknesses - not just for the example you gave of a mobile phone lock screen, but also for thievery in general.
For example, Mr Nefarious wants what's on the laptop belonging to Mr Jolly-Important, but it's secured with this device. He doesn't have to resort to cunning fake device trickery as suggested above; he just has to steal the laptop and, before the owner knows it's stolen, use it within range of him and his silly bracelet. Much, much easier.
Are they kidding?
It's got some potential, but only in the same way as going to the optician has the sde benefit of picking up lots of non-ophthalmic conditions such as diabetes.
There are plenty of things that can alter the ECG that might neither be immediately life threatening nor even noticeable to the patient. Unless this thing is smarter than the average consultant cardiologist (nurses, you can stop laughing now) then every time someone cannot access an application or it alerts them to a change then waiting rooms at the GP will fill up with the "worried well".
WOW, the most sickening promo vid in the world!
Heartbeat...? Gesture activation...?
I wonder what would happen if somone's engaged in a bit of "one handed browsing"?!
At least if you have a developing heart defect...
...you will be alerted by being locked out from everything.
However, what if you are in an accident? Something that squashes your arm (and your magic device) or damages your heart, but is repairable? You are now locked out of everything. Even loosing a limb may change your heart's signature.