90.9 WBUR - Boston's NPR news station
Top Stories:
Here and Now with Robin Young
Public radio's live
midday news program
With sponsorship from
Mathworks - Accelerating the pace of engineering and science
Accelerating the pace
of engineering and science

Heartbeats Could Replace Passwords



The average person has 30 to 50 accounts requiring a password, but uses only about five different passwords. And the most common password is still “password.”

Security experts say people should use a different password for each account, with each password at least 14 characters long.

Instead of memorizing all those passwords, what if the key to unlocking everything could be linked to something unique about you — like the rhythm of your heart?

That’s what biometric researchers in Toronto have come up with.

Like fingerprints, heart rhythms are unique. The peaks and troughs mapped out by an electrocardiogram are affected by the heart’s unique characteristics, including size and shape.

A company called Bionym is working to make passwords obsolete by using a person’s heart rhythm as a biometric pass code.

“We put this into a wristband so that when you put it on, it knows that it’s you,” Bionym CEO Karl Martin told Here & Now. “And then it can communicate your identity to systems in a secure manner around you.”

  • If you could replace all of your passwords with something biometric, like your fingerprints or heartbeat, would you? Tell us on Facebook or in the comments.

Interview Highlights: Karl Martin

Privacy concerns

“We’ve designed the system so the user has complete control over their data and their identity. Everything requires opt-in. They know where their data is going, and they can revoke that if they want.”

How it could be breached

“If you compare it to say fingerprints, you leave your fingerprints everywhere. It’s really not that difficult for somebody to get your fingerprints. But for somebody to get your cardiac rhythm, you’d actually have to have to be touching a sensing surface of some sort. You’d have to be unaware, so that somebody is doing this without you knowing it.

What happens if you die

“That’s a problem that we don’t solve. And I would say that’s actually a major problem with the digital world everywhere, whether it’s your passwords you took with you, or your biometric that you took with you. I think concepts of digital wills and how you manage that are things that really need to evolve. And certainly, when you’re tying your data to a biometric of your beating heart, I think that problem becomes more obvious, but it’s definitely not a new one.”




And while we're talking tech, Robin, I just want to ask you: How many passwords do you think you have?


Oh, 93.


HOBSON: A lot. Well, actually, the average is about five, even though they say you should have far more than that. I have dozens of accounts. I probably have about five, also average. But what if instead of remembering all those passwords, you could link all your passwords to something unique to you that you wouldn't have to remember, like your heartbeat?

Well, Karl Martin of the tech company Bionym has some new technology that does just that, and he joins us now from Toronto. Welcome.

DR. KARL MARTIN: Hi, Jeremy. Thank you.

HOBSON: Well - so, first of all, explain this technology and what you're trying to do with it.

MARTIN: We are developing a wristband called the Nymi. And what the Nymi does is it actually biometrically authenticates the wearer using their unique cardiac rhythm. So...

HOBSON: Meaning their heartbeat, basically.

MARTIN: Yes, their heartbeat. So this is what you call the electrocardiogram. That's the thing you see doctors pick up on the chest. But we can actually pick this up on different parts of the body. So when you put it on, it knows that it's you, and then it can communicate your identity in a secure manner to devices and systems around you.

HOBSON: Like your phone or an ATM machine, or something like that.

MARTIN: Exactly. Every time you use a password or a PIN and - all those points in your day are points of friction. If you imagine you have our wristband you're wearing all day, you don't even have to think about it, and you can have automatic access.

HOBSON: Now, the idea that you'd have to wear a wristband makes me think of some other technology, like 3-D glasses, which people don't seem inclined to wear. Do you think that you're going to face a hurdle in getting consumers to want to wear a piece of technology like that all the time?

MARTIN: Absolutely we see that. And as we release this product soon, we expect early adopters, people, gadget freaks and developers who will be most interested initially. So we're really showing that it can be done in the wristband. We think we might go through a few generations before probably there'll be some convergence with smart watches. But it's really about showing those early adopters to say, hey, this is something that's going to change the way you think about identity.

HOBSON: Now, this does bring up the issue of privacy, of course...

MARTIN: Oh, yeah.

HOBSON: ...the idea that some computer somewhere or the cloud can access all of your stuff. It seems a little scary, especially given all the NSA things that are going on.

MARTIN: Absolutely. And as we were conceiving this product, we knew right from the get-go that privacy would be a key concern. So we've actually followed a principle called privacy by design, and this is actually a framework developed here in Ontario by our privacy commissioner. So right at a low level, we've designed the system so the user has complete control over their data and their identity. Everything requires opt in. They know where their data is going, and they can always revoke that if they want.

HOBSON: Now, forgive me if I'm being a little too Hollywood producer here but, I mean, could somebody go in and get your heart rate, copy it and then create something that tricked this device, this Nymi that you've created?

MARTIN: Right. So I would never say it's impossible. But if you compare it to, say, fingerprint, right, you leave your fingerprints everywhere, right? It's really not that difficult for somebody to get your fingerprints. But for someone to get to your cardiac rhythm, you'd actually have to be touching a sensing surface of some sort. You'd have to be unaware, so that somebody is doing this without you knowing it. So while it's possible, it's highly unlikely. And they'd have to then reproduce that and mimic the way the body produces it.

HOBSON: Well, I feel like if you can create this technology, somebody can probably create some technology that can mimic your heart rate. But we'll leave that to the future.


HOBSON: So my last question is what if you die? What happens to all of your stuff because nobody would be able to access it without your cardiogram?

MARTIN: Right. So that's a problem that we don't solve. And I would say that that's actually a major problem in the digital world everywhere, whether it's your passwords that you took with you or your biometric that you took with you. I think, you know, concepts of digital wills and how to manage that are things that really need to evolve. And certainly it - when you're trying your data to a biometric of your beating heart, I think that problem becomes more obvious. But it's certainly not a new one, and we definitely have to think about how to work that out.

HOBSON: Well, Karl Martin, CEO of Bionym, thank you so much for talking with us.

MARTIN: Thank you, Jeremy.

HOBSON: And you're listening to HERE AND NOW. Transcript provided by NPR, Copyright NPR.

Please follow our community rules when engaging in comment discussion on this site.
  • Jon easton

    I think this is a great idea, not only do you no longer have to remember your passwords but it makes it easier and faster to get into your secure accounts, without the possibilty of someone seeing you type in your password or have a keystroke recorder on your computer to catch your passwords. this also goes to show how far we are in technology.

  • AnonymousGeek

    Biometric security sounds good until you really think about it. It would only work well if there were a real-time connection between the bio and the login, and there’s no technology for that on the horizon. What would actually happen is the bio info would be stored in a database, and when that gets stolen and hacked, how can you warn the users to change their passwords? Tell them to change their heartbeats?

    • Andrej

      The device works on the principle that it authenticates with your heartrate at say the beginning of each day. The moment it is removed from your person, it is no longer authenticated, and it can theoretically cycle password hashes on a daily basis

  • Alnoor Chagpar

    excellent idea so long as you have a healthy heart beat-what happens if and when you suddenly develop a PVC? will the system recognize the remainder of the normal  pattern? or will you be locked out of all your accounts and how will you be able to get them back?

  • DPS

    A nice idea and implementation technologically. But there’s got to be more layers of security coming along with it. I mean, even at gunpoint, nobody can steal my password from my brain, but they can definitely (forcefully) take two body surfaces and get my heart rhythm and thus the password! Bingo they have access to all of your life!!

Robin and Jeremy

Robin Young and Jeremy Hobson host Here & Now, a live two-hour production of NPR and WBUR Boston.

August 20 Comment

James Foley Remembered For His ‘Extraordinary Courage’

U.S. officials have confirmed the authenticity of a video showing the beheading of the American journalist.

August 20 5 Comments

L.A. Moves To Arrest Fewer Misbehaving Students

The change in the school district's policy is the culmination of a long fight by judges, government officials, advocates and attorneys.

August 19 5 Comments

Abandoned Homes In Buffalo, N.Y. Selling For $1

Instead of tearing the homes down, city officials are selling them for $1, as part of the "Urban Homestead Program."

August 19 Comment

A Look At U.S. Military Options In Iraq

Retired Admiral William Fallon, who was head of United States Central Command during the Iraq War, discusses the current conflict.