As part of BeyondCurious‘ ongoing interest in what wearable technology will mean for enterprise, I attended the Glazed Conference in San Francisco this week. Glazed, a conference on the business of wearable technology organized by Wearable World, attracts pioneers and luminaries in the wearable tech ecosystem. Wearable tech is currently lauded for its consumer applications, particularly in the realm of health and fitness tracking. But there is a whole other world of wearable tech applications that have profound implications for enterprise. For example, data security is a heavy burden for business. That is particularly true in today’s increasingly mobile, distributed workforce. As the recent Heartbleed debacle pointed out, password technology is deeply fallible. How can companies simultaneously keep their data safe and allow their employees anytime anywhere access to key systems and information?
One of the wearable tech companies attempting to solve this problem is Bionym, a spinoff of the University of Toronto that is currently making a product called the Nymi. The Nymi is a small, wearable device that uses electrocardiogram (ECG) to authenticate user identity. In effect, the Nymi turns a person’s own heartbeat into a unique key that can be used to unlock any conceivable device. I talked to Glazed panelist and Bionym President, Andrew D’Souza, about the Nymi, its unique differentiators, and the role it could play for enterprise in making it easier for people to be simultaneously productive and secure.
Yury: Tell me more about how the Nymi works?
D’Souza: The Nymi is a wearable device that measures your heartbeat and uses it as a unique biometric to identify you. You put it on once a day, touch it with your opposite hand for a few seconds, it measures your heartbeats, it confirms that you – the rightful owner are wearing it, and then it’s able to communicate that identity to whatever system or service you use. So, what we’re hoping is that it means the end of things like passwords and pin numbers. But it could even replace things like car keys, house keys, credit cards, and boarding passes. These are all different proxies for identity. We think that a wearable device that’s paired with your biometric can be a much easier, more secure form of user identification.
Yury: I didn’t realize that people’s heartbeats are different. Is the heartbeat really a reliable biometric?
D’Souza: Yes, it is! Everybody’s got a unique heartbeat. It’s based on the size and shape of your heart and the orientation of your valves, your physiology. It doesn’t change unless you have a major cardiac event like a heart attack.
Yury: What about when you’re nervous and your heart rate goes up? Will it still work?
D’Souza: Your heart can beat faster but electrically your beats look the same. So, whether it beats faster or slower, it doesn’t really matter. It’s really about the shape of the waves, and what that signal looks like when it comes off your heart.
Yury: Fascinating. So, in your panel earlier, you said that as far as biometrics go, the heartbeat is not quite as good as fingerprints. Can you talk about why we need something like the Nymi if that is true?
D’Souza: There’s a spectrum of biometrics. So if you think about the uniqueness of different biometrics, retinae are the most unique. Fingerprints are probably next and then ECGs. ECG metrics are not as developed as they are with fingerprints, although we’re approaching fingerprint uniqueness, and we’ll probably exceed those metrics in the next few years. However, ECG metrics are already far above things like voice recognition.
The real unique part of what we’re doing with the idea of putting biometrics into a wearable device is this concept of persistent identity. Even with the iPhone with its fingerprint reader, every time I want to access my phone, every time I want to access an application that’s enabled by the touch ID, I have to put my fingerprint down. Whereas with the Nymi, you put it on once and until you take it off you’re still authenticated. And that’s the big difference. We just have to make one match, we can tune the system to be very secure during that one matching process, and then you don’t need to think about it.
Yury: BeyondCurious is a digital innovation company that works with large enterprises to develop multi-platform applications. We are very interested in the wearable space because we want to know what wearbles are going to mean for enterprise. So, what will this concept of persistent identity mean for industries like travel, hospitality, and automotive?
D’Souza: One thing persistent identity could enable is that you could know who your customer is before they tell you. That’s kind of the paradigm that our partners are operating on. So, if you think about an airline, until I walk up to the counter and I give them my passport or my information, they don’t know that I’m a frequent flyer, they don’t know where I’m going or anything like that. But imagine if an airline could know who I am and what my flight is as soon as I walk in the door. As soon as I walk into the lounge, for example, they could know what I like to eat or what I like to drink, or if I have dietary restrictions or preferences. For a hotel, this is hugely important. A device like the Nymi could help take service to the next level.
The Nymi authenticates your identity using your own heartbeat. (Photo courtesy of Bionym)
Yury: Can you give me an example of how persistent identity could help people in the work place?
D’Souza: Sure. So, probably the most broadly applicable example is proximity-based device access. How this works is I sit down at my laptop and all my accounts unlock; it knows that it’s me; I get up and walk away, it locks again. If I leave somewhere, it’s locked. If I leave the terminal and get a drink of water, somebody can’t sneak in and go through my e-mails. I can log in from anywhere. The company or the system is a hundred percent confident that it’s me sitting in front of that terminal or holding that mobile device or tablet. I don’t have to worry about rotating pin numbers or codes or passwords. Especially in a hands-free environment, being able to access digital or physical locations and information without having to pull out keys or a badge would be a real benefit.
If you think about all the proxies we use for identity, badge numbers, pin numbers, multi-factor security tokens; they’re all points of friction for our employees, and for our customers. And they’re all not perfect proxies. So, what if there was something that was persistent and convenient, that got out of the way, so you were still confident that the right people have access to the right places, and you could let them get on with what they need to do.
Yury: What about applications for the automotive or consumer electronics industries?
D’Souza: Automotive is really interesting both on the consumer side and the enterprise side. From the consumer perspective, persistent identity could make it possible for me to access my vehicle, and have it remember my preferences, where I’m going, and what I was listening to. That becomes really interesting in a fleet environment. What if I can just jump into any vehicle and it knows that it’s me, it knows where I’m going and all my information? This is the paradigm of a shared device, or a specialized device environment that is shared among a number of people. So, you can think of that as a vehicle, I can sit in any vehicle or a number of people can sit in a vehicle, and the vehicle responds to them. You can issue or revoke access to that.
You can apply that same model to consumer electronics. So, I can go to a bank of phones or tablets and it has my accounts, my information, it knows that I’m holding it. I can borrow your phone if mine’s about to die, and it could ring because it knows that I’m holding it and not you. It would load my apps and my e-mails because it knows it’s me, and then I could give it back to you and it would have your information again. I can take my identity and my preferences with me securely and have the devices and the environment react to me. The concept is separating the identity from the device.
Yury: That’s a really fascinating vision of the future. And it seems like it could align well with emerging consumer attitudes that value ownership much less than previous generations did, particularly in the automotive space. I can imagine a persistent identity device making a Zipcar experience much more seamless and personalized, for example. And that could even have ramifications for autonomous vehicles.
So, I understand that persistent identity is the key value proposition of the Nymi. But you can’t talk about identity without talking about security, especially these days. Can you talk a little bit about what you’re coming up against in terms of the kind of fears or issues people are having about the Nymi?
D’Souza: Yes. So, there are two questions people immediately have. One is: do all these different systems and services need to know my heartbeat, my ECG, my biometric? The answer is no. We’ve designed this system so that the biometric stays local, so the Nymi confirms I’m wearing it because it matches my heartbeat to the template that I’ve stored. Then all it’s doing for other services and systems is providing a “yes or no” credential. It’s saying, “Okay, this Nymi is associated with those frequent flier numbers or this credit card number.” It would reach those servers, but the biometric is not transferred. That’s actually another fundamental difference between how the Nymi works and how fingerprint and retina scans currently work. If you were to put fingerprint readers and retina scanners on every door or every point of sales system then actually you’d be spreading your biometric all around. That’s both a security concern and a privacy concern.
The other question people have is, “Are people following my Bluetooth signal?” We’ve designed the system to be totally opt-in. We are a Canadian company, and we’ve got a great privacy commissioner in Ontario that has issued standards of privacy by design. So it’s opt-in, it’s completely private and personal until you’ve volunteered that information. So, I can say I want my airline to know my name when I walk in but I don’t want the retailer to know. Or if I do, I don’t want those identities connected. I want an independent identity or both. And at any time, if I’m not getting a benefit from that airline knowing me, I can revoke that.
Yury: You still have to worry about any data they may have accessed before you revoked it, right?
D’Souza: The way we’ve designed the system, the data they have access to is just within their system. It’s not my complete identity. The airline just has my identity associated with my frequent flier number that they’ve built up. So, if that gets breached, it doesn’t mean my credit card or my health records or anything else like that gets read. The Nymi creates a separate identity for every service that it pairs with. So, essentially, what you’re doing is when I sign up for a new service, it’s writing a new key there. It’s saying, “This key is associated with this new service.” They’re not all connected; they operate independently.
Yury: Does that mean if it were ever hacked, that it would have to be hacked for every single service?
D’Souza: Right. So someone would have to hack into every part of your life. They’d have to hack into your airline, your retailer, and your car, your home, or whatever to get all that information. With the Nymi, all the data is stored on the hardware. It’s not like there’s some Cloud service that the NSA can break into our offices and get your data. We don’t even know who you are. You buy the Nymi and it’s a Bluetooth peripheral. It’s a key. We don’t know who you are, where you’re using it. That knowledge stays with you and the services you enable.
Yury: Talk a little bit about monetization. How are you guys going to make your money if you don’t have your hands on the data?
D’Souza: Yes. So, we make some money on the hardware. That’s not a long-term business model. The value is really in mediating identity transactions. If an airline, hotel, retailer, or a hospitality company wants to use our services to serve their customers, we can host that service. We can essentially mediate that, and we can mediate transactions. Payments and transactions are a huge opportunity. If you think of all the identity transactions that take place, payments are a subset, but they are a very lucrative subset. Even if we can reduce fraud and increase volume, and reduce friction to payments just a small amount, that’s really meaningful.
Yury: You were on a Glazed panel with Stephane Wyper of Mastercard and it didn’t occur to me at that time, but now I’m smiling realizing that you were up there with the future competition, potentially.
D’Souza: Well, I don’t think we’re ever going to build our own complete payment system, but I think what we can do is we can enable companies like Mastercard, Visa, and newer payment companies like PayPal to provide an easier experience that’s also more secure. If we can enable them to do that then that’s a huge value to the ecosystem and we can probably find some interesting ways of capturing some of that value. If you think about digital payments, mobile payments, or online payments, the merchant has no idea who’s actually sitting in front of that terminal. All they know is that somebody with that credit card number and that password and that billing address is there. That’s it. The risk of fraud is enormous. So, if we can use the Nymi to make online payments as secure or more secure than being in a store with a card, that’s huge.
Yury: I can actually imagine the credit card companies paying people to wear a device like the Nymi to deter fraud.
D’Souza: Yes, the way this will probably play out is companies – credit card companies, banks, or car companies, or airlines – will basically give these away, buying them for their most valued customers. But what’s important is regardless of how you get a Nymi, it’ll work throughout the ecosystem. So, if I get it from my airline, I can still connect to my car, can still use it with my personal credit card, etc.
Yury: Nice. So, there was some talk today at Glazed about the pros and cons of a powerful all-in-one wearable versus a specialized wearable that does one thing well. How would you characterize the Nymi?
D’Souza: We’re looking at the Nymi as a horizontal identity platform. While you can think of identity as one application, it’s the key to multiple applications.
Yury: How has the Apple fingerprint biometric on the iPhone 5s helped you learn about people’s fears or acceptance of using biometrics to access devices?
D’Souza: I think what we learned from Apple is that consumers are comfortable with this concept that something about me can represent me better than some kind of proxy, whether that’s a password, a card, or a badge. I think what’s important is to get that level of trust you need to start with a specific use case. So, in Apple’s case, it was just “unlock my phone,” that’s it. We’ll likely start in a very similar end-consumer application where proximity unlocks a device. For example, I pick up my phone and it unlocks, I walk away and it’s locked. Our goal right now is getting that experience very right, very reliable, and then expanding from there. We haven’t launched with a Cloud server because we need to make sure that consumers trust it. It can work; you don’t need to connect it to the internet or some other kind of backup system. It’ll work as a proxy, as a key on its own, totally in your control. Now if there are benefits to storing my identity in the Cloud and being able to revoke things or back it up then maybe some consumers will opt into it, but I think to start with we’ll say it’s not a necessity. You can start with a local, completely controlled, secure environment.
Yury: Returning to this idea of enterprise, do you think this is really going to take off first with consumers, or with enterprise and why?
D’Souza: I think there are probably more immediate applications in the enterprise. Think about saving people time and mind share; that alone is a huge opportunity. Enabling an employee to focus on what they’re doing and not have to shift focus to log into systems could be a huge boost for productivity. We’ve had a lot of interest from the enterprise. But what we’re very conscious of is that we don’t want this to be a shackle; we don’t want this to feel like, “Well I got this from my employer and I have to put it on when I get to work and I take it off as soon as I leave and it tracks me.” We want it to be a perk.
For this platform to work really well, it’s got to cross enterprise and consumer. It’s got to be something I put on in the morning so I can access the things I need and value in my personal and professional life, like my house key, car key, my personal accounts, my credit card, my badge card at work, my computer station, etc. It’s got to be kind of ubiquitous. We’re not going to get there overnight, but that’s the vision. Ultimately, it’s my identity, and regardless of whether I’m using that in my personal life or I’m using that in my work life, I trust it.
Carrie Yury is Director of Research and Insights at BeyondCurious.