Industry News

Heartbeats Instead of Passwords

Security company Bionym makes public a new authentication device in the form of a bracelet. The gadget is a miniature electrocardiogram that replaces passwords with the owner’s unique heartbeat pattern to log into computers, make payments or get into cars.

The login bracelet, called Nymi, reads the electrocardiogram of the person wearing it. When the heartbeat pattern is confirmed, the bracelet becomes an authentication device that can access computer networks, computers, hotel room doors, and airport kiosks.

It is a three-factor authentication system comprised of a bracelet, a paired mobile device and a verified ECG of the bracelet owner.

The official promo video for Nymi advertises the idea of a private life that opens up to the owner via this futuristic bracelet that unlocks house doors, car trunks, computers, applications, helps pay for drinks or provides authentication for boarding tickets. All interactions should be easy and secure since marketers promise “complete security without compromising convenience.”

However, an all-around authentication device will intrigue hackers and motivate them to breach the device. What happens if, for instance, someone gets his hands on the heartbeat pattern and the bracelet? What about intercepting the communication between the bracelet and the doors, computers, cars during authentication?

Karl Martin, CEO of Nymi creator Bionym, told Arstechnica that “the device hasn’t yet undergone a formal security audit but it has been designed to withstand attacks.” The device “uses elliptic curve cryptography to ensure data traveling between the bracelet and the device can’t be monitored by anyone else.” Martin also said “the encryption secures the handshake performed between the bracelet and the devices being unlocked.”

Innovation is a trend. In June, Motorola presented two new electronic authentication prototypes, a tattoo and an FDA-approved pill, that make the human body transmit passwords to smart devices in an attempt to mark the beginning of a new wearable and edible technology.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.

1 Comment

Click here to post a comment
  • How does this pass for news? All I’m seeing is snake oil that has no peer review with incorrect uses of technological terms.

    The whitepaper listed at even state’s that it’s so-called 3 factor authentication is actually 2 factor authentication (page 14).

    Having the 1) ECG (something you are), 2) Nymi Wristband (something you have) and 3) AAD (something you have) only makes this a 2 factor authentication device, with the “something you have” being required twice.

    That’s like saying a security system is 3 factor authentication, because it asks for 3 separate passwords (something you know, something you know and something you know again).

    If the Bionym can’t even get well known security terminology correct, how are we supposed to believe that their Elleptic Curve Cryptography implementation over Bluetooth is even secure (especially when the company freely admits no peer review has occurred)?

    Sounds like a nice trinket that allows Bionym to cash in on the FitBit Flex Band craze, with a security perspective. Pitty a trinket is all it will be.