Nymi Puts Its Heart Into IoT Authentication

Using its proprietary heartbeat authentication system, Nymi is rolling out wristbands that serve as physical and logical access-control devices, and, in the future, may double as MasterCard payment cards.
Published: October 27, 2015

Passwords and PINs are easily forgotten and can be stolen. Security badges can be counterfeited or stolen. That’s why banks, corporations and other entities that demand high security levels are interested in using biometrics for authentication purposes. But instead of installing fingerprint readers or iris scanners, what if a piece of wearable technology could be issued to an individual and then serve to positively identify that person without the need for any additional infrastructure?

That is Nymi‘s pitch. The Toronto-based company, founded in 2011, has developed technology that enables an individual to capture his or her heartbeat—or rather, electrocardiogram (ECG)—and then use that data to authenticate himself or herself. Each person has a unique ECG, and Nymi has developed a wristband that captures, digitizes and securely stores the user’s ECG, which is then used to authenticate his or her identity as a first step in a secure transaction.

The Nymi wristband

On Monday, MasterCard announced that the Nymi system is one of a number of new technologies that the credit card company expects to integrate into a Near Field Communication (NFC) contactless-payments module. MasterCard has not issued a specific timeline for when the Nymi band will become available to U.S. customers, nor will Nymi confirm exactly how consumers will acquire the bands.

In Canada, MasterCard has already completed one pilot project to test Nymi’s biometric technology as a means of authenticating contactless payments using NFC. Nymi and MasterCard Canada plan to launch a second pilot next month.

This summer, 100 MasterCard cardholders who are also employees of Toronto-Dominion (TD) Bank were issued Nymi bands containing an NFC module matched to their MasterCard accounts, says Shawn Chance, Nymi’s VP of marketing and business development. During the 10-week trial, these pilot participants used the Nymi bands instead of contactless credit cards to make payments at retailers that accept NFC contactless payments.

“There was no new infrastructure needed,” Chance explains. But the microcontroller inside the wristband would not allow the NFC module to begin a payment transaction unless the band’s owner was wearing it.

To set up the Nymi band, an individual first needs to download the Nymi Companion app, available for the Android or iOS operation system, on a smartphone or tablet. “Then they fire up the app, put the band on their wrist and place the index finger of their opposite hand on the sensor located top of the band,” Chance says. “By doing so, they’ll complete a circuit through their body.” Keeping their finger in place for between one and one and a half minutes will allow sufficient time for the sensor to capture a profile of the wearer’s unique ECG wave. At this point, the Nymi band creates the wearer’s ECG biometric template, which is stored in the band. (The wristband vibrates to let the user know the template-creation process is complete.) It also sends the ECG template, in an encrypted form, to the Companion app via a Bluetooth connection.

“We use a cryptographic key system, so the actual template is stored on the smartphone [or tablet] but in an encrypted state,” Chance explains. “The keys needed to decrypt it are in the band. Nymi does not store a copy in the back end, so the biometrics are localized [to the band].”

Once the user removes the band, it erases the ECG profile that it uses to authenticate that individual by comparing it to the ECG template. In this way, another person could not place the band on his or her own wrist and continue to use it.

To start using the band again, the user re-clasps it and repeats the process of holding the opposite hand’s index finger on the sensor. The band then compares the newly captured ECG data with the information stored in the template and, as long as there is a match, authenticates the user’s identity. This process takes only 10 seconds to complete.

Next month, Chance says, 150 MasterCard cardholders who are also employees or customers of the Royal Bank of Canada will participate in a second trial of the Nymi band.

Not Just Payments
Nymi has also worked with MasterCard to test the use of Nymi bands for access control, but has not announced whether MasterCard or any other company plans to deploy the technology on a permanent basis. For those tests, the band is issued in the place of a conventional RFID-based access card, and is then used to enter secured areas within corporate office buildings. As with the payments application, the band only works if the person to whom it has been issued is wearing it.

Chance says the Nymi bands are also being tested for applications in which they would replace other employee-authenticating methods for providing logical access control for securing a corporate computer system.

In fact, he says, it is likely that corporations looking to increase the security of their physical and logical access-control systems by issuing the bands to employees will likely begin deploying Nymi’s technology sooner than consumers—beyond those who are participating in pilot projects—will begin using the bands to make MasterCard payments.

Earlier this month, Nymi and Entertech, a biometrics-based identity-management software provider, announced that they are partnering so that Nymi’s ECG authentication devices can be used with Enertech’s BioConnect software platform, which serves as middleware between biometric-based authentication devices and access-control systems.

Future Applications
Nymi has its sights set on hotels, fitness centers and a wide range of other types of facilities that rely on access-control systems as well.

The Nymi band contains an accelerometer that could be utilized to integrate gestures into proximity-based commands. For example, this video shows how the band could be used to open a car’s truck or door, based on the user’s hand gesture. That same person then uses his Nymi band and gesture at a hotel, to control a Netflix broadcast on his room’s television.

Looking to encourage developers to think of new applications for the band, the startup also sells a software development kit (SDK) for the Android operating system. The SDK includes application programming interfaces, sample code, the Nymulator (a virtual simulator for the Nymi band, created for application testing), documentation and a Nymi band, and is priced at $149.