Currently, of course, the fingerprint — via innovations such as Apple’s Touch ID — reigns supreme as the premier way to authenticate digital devices. This makes sense, given that fingerprints are used universally as a form of authentication. They have been used for more than 100 years to identify people (mostly criminals). Researchers have shown that a person’s fingerprints do not change over time, except in extreme circumstances (like leprosy). And, in the analysis of billions of sets of fingerprints, there has never been found an exact match between two individuals. In that regard, they’re like snowflakes – no two are alike. From that perspective, it’s a no-brainer that companies such as Apple have embraced fingerprint authentication for digital devices for security purposes.
But here comes the heartbeat.
In 2013, Toronto-based Bionym created the Nymi wearable wristband, which uses an embedded electrocardiogram (ECG) sensor to recognize the unique cardiac rhythm of users. This ECG sensor is able to match the wearer’s ECG against a stored profile in order to authenticate the wearer’s identity. If the heartbeats match, you’re good to go. As Kurt Bartlett, marketing and public relations manager at Bionym, told me in a phone conversation, the science is based on nearly a decade of R&D work at the University of Toronto, where researchers first began investigating an ECG biometric algorithm.
And now this year, the company is launching a first-of-its-kind pilot of a biometric payment system. The trial, which involves MasterCard and Royal Bank of Canada, will use a Nymi wristband linked to a MasterCard credit card for payments. An NFC chip inside the wristband will make it possible to communicate wirelessly with payment terminals, while the ECG sensor will make it possible to authenticate users. Bionym refers to it as the “world’s first biometrically authenticated wearable payment solution.”
So is heartbeat authentication really better than fingerprint authentication? According to Bionym, there are two primary advantages of heartbeat authentication over fingerprint authentication: one is linked to security and one to convenience.
As the company’s November 2013 white paper explains in greater detail, the security feature derives from the fact that a user’s ECG cannot be lifted or captured without a person’s consent. Contrast that to fingerprints, which leave behind “latent samples” (i.e. smudges) that can be replicated or forged. The ECG sensor is internal, meaning that it’s much harder to capture a user’s identity.
In terms of convenience, the Nymi only requires a user to confirm their identity once a day rather than swiping a finger for each and every transaction. Once a user has been authenticated, he or she will have continuous and reliable access to services and devices via wireless communication. Moreover, the ECG sensor is able to collect a signal continuously until it finds a match, which solves the problem of having to replace your finger on a device if it does not read it correctly the first time around. And indeed, if you watch the Nymi product videos, it does appear that services and devices unlock almost as if by magic. If you’re wearing a Nymi wristband, you literally do not need to put down your cup of coffee in order to unlock your smartphone – it recognizes who you are and unlocks by itself.
There’s obviously a new and growing market for biometric identification – and that’s precisely why it’s relevant to be talking about a standards war. Just think of the numerous times each day we’re asked to authenticate things around us with passwords. And now that mobile payments are becoming mainstream, just think of how many times we will be asked to authenticate these transactions each day. In fact, according to a recent JWT report on the future of payments, there will be 471 million global biometrics smartphone users by 2017. That’s a huge potential market.
Right now, the Nymi is still only available for pre-order and only a limited number of developers have been able to work with the Nymi wristband, so we don’t know how effective it will be in practice. However, if the heartbeat authentication pilot with MasterCard is successful, this potentially sets up a broader standards battle with Apple, which is heavily touting its Touch ID fingerprint identification system as the way to authenticate Apple Pay transactions. According to Apple, your finger — not your heartbeat — is “the perfect password.”
Apple has the first-mover advantage since everyone knows about Touch ID, and nobody knows about what might be called heartbeat ID. And Apple also has an advantage because of its huge installed iPhone and iPad customer base. As a result, fingerprints — not heartbeats — are the de facto industry standard for authenticating digital devices, digital services and mobile payment transactions.
But there are signs that the heartbeat could steal a beat on the fingerprint. In September, Bionym raised a $14 million round of venture capital investment and brought aboard MasterCard and SAP as new partners. The company is also reaching out to hospitality providers in order to convince them to use heartbeat identification as the way to recognize users. They’re hoping to license the heartbeat recognition technology to others, so that it can become a new standard for all wearable devices. Finally, they’re opening up to developers, asking them to design around the technology. Whereas Apple has been cautious about sharing too much of its technology with others, Bionym wants to get its technology onto as many wrists as possible.
But as much as this potential battle over biometric authentication is about the size of the customer base and first-mover advantage, it’s also about something much deeper – what we fundamentally consider to make us human. If someone asked you to define the one aspect of your physical identity that made you unique, you might say your “face” or your “eyes” or your “fingerprint.” And, not surprisingly, other biometric authentication schemes that have been proposed have used facial recognition and iris scans. The heart may be the subject of some of the world’s great poetry, but until recently, there has never been a reliable ECG biometric algorithm. In fact, you might not even realize that your heart’s cardiac rhythm could be used to identify yourself.
There’s still a lot to be done with using heartbeats for biometric authentication, of course. Products available for pre-order are not the same as products already in the marketplace. But given that Apple is already thinking in terms of the Heartbeat for the Apple Watch and more wearable devices seem to be coming with built-in heart rate monitors (which measure blood flow, not electrical activity), we might just see the heartbeat gain ground in its battle with the fingerprint.