Getting To The Heart Of Biometric Authentication

Using biometrics to authenticate a consumer doesn’t go far enough, some say, to really prevent fraud. Fingerprints, retina scans, even facial recognition can still be spoofed. There’s one thing, Karl Martin, Nymi’s Founder and CEO, says that can’t be – and he and his team have spent the last 10 years perfecting it.

Using biometrics to authenticate a consumer doesn’t go far enough, some say, to really prevent fraud. Fingerprints, retina scans, even facial recognition can still be spoofed. But there’s one thing that can’t be compromised, says Karl Martin, Nymi’s Founder and CEO – and he and his team have spent the last 10 years perfecting it.

“When bringing something new to the market you can’t just be 10 percent better, you’ve got to be 10 times better,” Martin explained to MPD CEO Karen Webster.

Especially, Martin believes, when it comes to authenticating the identity of a consumer – which has to be not only better, but also solve a problem with incredibly accuracy.

“You’ve got to really be introducing a new capability that really hits a need. It took us two years to realize the problem wasn’t really around developing a new core authentication technology, it was really about how to scale new ways to authenticate the consumer,” he added.

By scale, Martin means keeping up with the myriad of devices and endpoints consumers use to conduct commerce, combined with the number of fraudsters who make it their life’s work to interfere with that. For many years, the fallback has been forcing users to use longer, more complex passwords, and often use those passwords multiple times per day for the same application or site. After realizing how dreadful that experience is for users who just want to get on with their transaction, Martin said it was clear that the technology was only a piece of the puzzle. He and his team concluded that the key to improving authentication in a meaningful way was to make all of those frictions melt away.

“We’re asking users today to remember a long, complex password and enter it over and over again, but that’s something a machine should do, not a human,” Martin stated.

The result was the idea of the Nymi Band, a wearable authenticator that continuously and securely identifies a user based on something that Martin said is totally unique to the user and impossible to spoof: their unique heartbeat or electrocardiogram (ECG).

“We’re asking users today to remember a long, complex password and enter it over and over again, but that’s something a machine should do, not a human.”

BEING PERSISTENT MEANS BEING SECURE

Earlier this year, Nymi introduced an NFC-enabled prototype of its Nymi Band that can enable the wearer to also make contactless payments. Which is cool. But what’s even cooler is what makes Nymi’s technology both unique and effective.

Nymi’s technology enables a persistent identity so that the consumer doesn’t have to continue to re-authenticate herself, as long as she is wearing her Nymi band.

“The persistence is ultimately what makes the experience go from a user having to repeatedly take an action to prove themselves to the machine doing it on their behalf,” Martin noted, adding that this driving concept frees users from having to consistently perform a task that machines are actually built to handle.

In the biometric space, Martin acknowledges that there’s a debate over how secret (and secure) biometrics really are. For example, while a fingerprint can be seen as one of the most unique identifiers of a person, it is also something that is left everywhere that person travels, and on everything they touch – making it easy for a bad guy to replicate.

Even a person’s face or iris, which could be captured at a distance without someone’s knowledge, can be used as an identifier by someone with bad intentions.

However the ECG, as Martin explained, is very closely tied to the body, which drastically reduces the likelihood that a person’s ECG signal would be compromised without them realizing it.

It also proves that the consumer being authenticated is alive.

A LOOK UNDER THE HOOD

While some of the main components within the Nymi Band only differ slightly from some of the fitness trackers on the market today, the “secret sauce” lies in the entire device being treated as a secure process, rather than just enabling security within the software.

The secure element within the band is uniquely positioned in the hardware, where it manages the keys and the cryptographic processes. In the next generation of Nymi Bands, the NFC component will also act as its own secure element and processor, allowing a whole ecosystem of applications to be delivered through it, Martin confirmed.

The Nymi Band leverages Bluetooth as the transport layer for authentication credentials, which allows the authentication technology to be expanded to a variety of endpoints and environments.

“The market is clearly going there because the ports are disappearing on our computers. Furthermore, you are not going to plug a USB device into your phone for authentication — it makes no sense,” Martin pointed out, adding that the use of Bluetooth also goes hand-in-hand with the ongoing initiatives to repair the fragmented ecosystem around identity and authentication.

Eventually, the common goal of companies like Nymi, which is a member of the consortium of industry players that make up the Fast IDentity Online (FIDO) Alliance, is to have FIDO-based credentials that enable a single-sign on for all cloud applications, taking a lot of the work and friction points away from users.

MAKING COMMERCE SECURE EVERYWHERE

But the challenge lies in enabling the technology to talk to many different platforms residing in various environments.

“We call that deep integration, because we know access isn’t just one layer. It’s access to the device, it’s access to the application, it’s access to data and our goal is to make that all disappear for the user,” Martin said. “I would say we are halfway there leveraging what’s out there, but with further things coming from FIDO that’s going to go even deeper.”

As commerce continues to move past the traditional methods of transactions that take place at the point of sale, the number of new environments and applications in which commerce may be enabled only grows.

Although, the key to actually accelerating these efforts may start with ensuring this authentication technology can be utilized across a variety of operating systems and non-traditional payment environments, which places a huge significance on interface and experience.

“At the end of the day we are not looking to dominate this space. We are one piece of the puzzle. We become an interface of high trust and there is this issue of different types of transactions requiring different levels of trust, but there’s always an expectation of balancing convenience with security,” Martin stated.

“We try to solve that and say you don’t need to choose, you can have convenience and security.”