It was in the last few decades that researchers realized that the human heartbeat, no matter how fast or slow it's going, generates signals that are every bit as unique to an individual as a fingerprint or retina.
Now, a Toronto startup named Bionym is turning that insight into a novel kind of security product: A bracelet that acts as a wearable password – one that can't be lost, can't be stolen, and can't be used by others - but can still be taken off at will.
"By wearing something that knows who you are, it can be used as a universal identifier, says Karl Martin, Bionym's CEO.
Founded by Karl Martin and Foteini Agrafioti, two University of Toronto PhD students, Bionym's first product is a $99 Bluetooth-enabled bracelet called the Nymi. When a user puts the device on, they can authenticate themselves by pressing it to their wrist for a few seconds, during which the device picks up a few heartbeats' worth of the ECG signatures that, once run through an algorithm, are unique to each person. Having gotten the user's pulse, as it were, the device can now use its Bluetooth radio to wirelessly vouch that its wearer is indeed who she says she is.
However, as soon as the bracelet loses contact with its wearer's skin, it resets itself. So, unlike for instance, a smartphone that contains digital credentials, a lost or stolen bracelet is of no value to those who'd break into accounts. (The Nymi's guts are in a little puck on top, smaller than a watch; the firm says that reliability issues made it opt against using flexible electronics.)
Bionym uses an open API and is working with developers on assorted applications: The bracelet could unlock both physical doors - like house doors secured with Bluetooth-enabled products like Lockitron - or virtual ones, like online logins for e-mail accounts, or even bank and bitcoin accounts. (Sure enough, standards for password-free security systems are emerging under the umbrella of groups like the FIDO Alliance.)
But using heartbeats to bypass passwords is only the beginning.
"In the biometrics world, there's a tunnel vision," says Martin. Biometrics solutions, he says, focus too much on one-off tasks like simply getting people through gates, like passwords. However, he says, the real potential in these technologies lies in using these devices to broadcast your identity continuously, to devices around you that might be listening.
"You can have a personalized experience. Devices can know who you are," he says. "That's what we're offering: Persistent identity."
For instance, he says, users could opt in to programs that would allow businesses to recognize them when they walk through the door. Since the bracelet's signals can travel a good 30 feet, devices that are authorized to speak with them can offer personalized experiences, be it an iPad kiosk at a department store that responds to their shopping history, or a high-end hotel lobby that sends service staff scuttling up to assist a high-value customer.
The key word for Bionym is "opt in": Martin says that the bracelet does not give off any signals that could be used to track users who haven't explicitly signed up to be recognized at a given location.
(He adds that the Nymi can't even be tracked by the systems that retailers use to anonymously tag passing customers by picking up on the wireless signals coming from their phones: It randomly rotates the identifiers, like MAC addresses, that these systems keep track of.)
Founded in 2011, but built on six years of research, the company has grown rapidly since being spun off, now reaching 22 people and in the middle of a new funding round. Agrafioti worked on the heartbeat-reading algorithms that are at the core of the product, while Martin, her co-founder, focused on cryptography. The Nymi is in pre-orders (for a discounted $79) and will be shipping this year. Martin says the company is currently working with developers who will use its API to make sure that even early adopters will have applications for their bracelets.
"We'll be focusing on making sure that users have something useful with it out of the box."
An earlier online version of this story incorrectly spelled Foteini Agrafioti's first name. This online version has been corrected.