The average person has 30 to 50 accounts requiring a password, but uses only about five different passwords. And the most common password is still “password.”
Security experts say people should use a different password for each account, with each password at least 14 characters long.
Instead of memorizing all those passwords, what if the key to unlocking everything could be linked to something unique about you — like the rhythm of your heart?
That’s what biometric researchers in Toronto have come up with.
Like fingerprints, heart rhythms are unique. The peaks and troughs mapped out by an electrocardiogram are affected by the heart’s unique characteristics, including size and shape.
A company called Bionym is working to make passwords obsolete by using a person’s heart rhythm as a biometric pass code.
“We put this into a wristband so that when you put it on, it knows that it’s you,” Bionym CEO Karl Martin told Here & Now. “And then it can communicate your identity to systems in a secure manner around you.”
“We’ve designed the system so the user has complete control over their data and their identity. Everything requires opt-in. They know where their data is going, and they can revoke that if they want.”
How it could be breached
“If you compare it to say fingerprints, you leave your fingerprints everywhere. It’s really not that difficult for somebody to get your fingerprints. But for somebody to get your cardiac rhythm, you’d actually have to have to be touching a sensing surface of some sort. You’d have to be unaware, so that somebody is doing this without you knowing it.
What happens if you die
“That’s a problem that we don’t solve. And I would say that’s actually a major problem with the digital world everywhere, whether it’s your passwords you took with you, or your biometric that you took with you. I think concepts of digital wills and how you manage that are things that really need to evolve. And certainly, when you’re tying your data to a biometric of your beating heart, I think that problem becomes more obvious, but it’s definitely not a new one.”
JEREMY HOBSON, HOST:
And while we're talking tech, Robin, I just want to ask you: How many passwords do you think you have?
ROBIN YOUNG, HOST:
HOBSON: A lot. Well, actually, the average is about five, even though they say you should have far more than that. I have dozens of accounts. I probably have about five, also average. But what if instead of remembering all those passwords, you could link all your passwords to something unique to you that you wouldn't have to remember, like your heartbeat?
Well, Karl Martin of the tech company Bionym has some new technology that does just that, and he joins us now from Toronto. Welcome.
DR. KARL MARTIN: Hi, Jeremy. Thank you.
HOBSON: Well - so, first of all, explain this technology and what you're trying to do with it.
MARTIN: We are developing a wristband called the Nymi. And what the Nymi does is it actually biometrically authenticates the wearer using their unique cardiac rhythm. So...
HOBSON: Meaning their heartbeat, basically.
MARTIN: Yes, their heartbeat. So this is what you call the electrocardiogram. That's the thing you see doctors pick up on the chest. But we can actually pick this up on different parts of the body. So when you put it on, it knows that it's you, and then it can communicate your identity in a secure manner to devices and systems around you.
HOBSON: Like your phone or an ATM machine, or something like that.
MARTIN: Exactly. Every time you use a password or a PIN and - all those points in your day are points of friction. If you imagine you have our wristband you're wearing all day, you don't even have to think about it, and you can have automatic access.
HOBSON: Now, the idea that you'd have to wear a wristband makes me think of some other technology, like 3-D glasses, which people don't seem inclined to wear. Do you think that you're going to face a hurdle in getting consumers to want to wear a piece of technology like that all the time?
MARTIN: Absolutely we see that. And as we release this product soon, we expect early adopters, people, gadget freaks and developers who will be most interested initially. So we're really showing that it can be done in the wristband. We think we might go through a few generations before probably there'll be some convergence with smart watches. But it's really about showing those early adopters to say, hey, this is something that's going to change the way you think about identity.
HOBSON: Now, this does bring up the issue of privacy, of course...
MARTIN: Oh, yeah.
HOBSON: ...the idea that some computer somewhere or the cloud can access all of your stuff. It seems a little scary, especially given all the NSA things that are going on.
MARTIN: Absolutely. And as we were conceiving this product, we knew right from the get-go that privacy would be a key concern. So we've actually followed a principle called privacy by design, and this is actually a framework developed here in Ontario by our privacy commissioner. So right at a low level, we've designed the system so the user has complete control over their data and their identity. Everything requires opt in. They know where their data is going, and they can always revoke that if they want.
HOBSON: Now, forgive me if I'm being a little too Hollywood producer here but, I mean, could somebody go in and get your heart rate, copy it and then create something that tricked this device, this Nymi that you've created?
MARTIN: Right. So I would never say it's impossible. But if you compare it to, say, fingerprint, right, you leave your fingerprints everywhere, right? It's really not that difficult for somebody to get your fingerprints. But for someone to get to your cardiac rhythm, you'd actually have to be touching a sensing surface of some sort. You'd have to be unaware, so that somebody is doing this without you knowing it. So while it's possible, it's highly unlikely. And they'd have to then reproduce that and mimic the way the body produces it.
HOBSON: Well, I feel like if you can create this technology, somebody can probably create some technology that can mimic your heart rate. But we'll leave that to the future.
HOBSON: So my last question is what if you die? What happens to all of your stuff because nobody would be able to access it without your cardiogram?
MARTIN: Right. So that's a problem that we don't solve. And I would say that that's actually a major problem in the digital world everywhere, whether it's your passwords that you took with you or your biometric that you took with you. I think, you know, concepts of digital wills and how to manage that are things that really need to evolve. And certainly it - when you're trying your data to a biometric of your beating heart, I think that problem becomes more obvious. But it's certainly not a new one, and we definitely have to think about how to work that out.
HOBSON: Well, Karl Martin, CEO of Bionym, thank you so much for talking with us.
MARTIN: Thank you, Jeremy.
HOBSON: And you're listening to HERE AND NOW. Transcript provided by NPR, Copyright NPR.
Jeremy Hobson joins Robin Young as co-host of Here & Now in its new 2-hour format, from WBUR and NPR.
The organizers of the Boston Marathon have issued special invitations to 450 people who made the case they were profoundly affected by the bombings in April.2 Comments | more »
Almost a year after 20 children and six educators were killed at Sandy Hook Elementary School, some states have toughened gun rules, while others have loosened them.137 Comments | more »
As the BBC’s State Department correspondent, Kim Ghattas has traveled hundreds of thousands of miles with U.S. secretaries of state, including Condoleezza Rice, Hillary Clinton and John Kerry.1 Comment | more »