Sunday, September 15, 2013

Nymi -- Biometrics Revisited

Last week my friend Lori approached me with an article she had read about a new device called Nymi.  This device (which is in pre-release and available for preorder) purports to be able to use "a person's unique heartrate" for authentication purposes.   Payment devices, hotel check-in technologies, enterprise computer systems, and even automobile locks can then be secured and accessed without remembering a plethora of passwords or carrying half a dozen token devices (to include physical keys).  Lori's question to me -- which warmed my heart :)  -- was what the security implications and ramications would be of  such a technology.  To answer this question, we need to go back to the basic principles behind authentication and biometrics.  If you are already more than well versed in these topics, then you should scroll ahead a few paragraphs; however a base-level review of these topics is never a bad thing.

As most of us know, the best authetnication schemas use two of the following three factors:  (1) something you have (a physical token such as a key or an digital key fob); (2) something you know (a unique password); and/or (3) something you are (a biometric identifier such as a fingerprint).  Most true two-factor authentication schemas employ (1) and (2) above;  many schemas use two instances of item (2) -- such as a user ID and a password -- which is not true two-factor authentication.  

Very, very few authentication schemas employ widespread use of biometrics in their environments.  The reasons are straightforward:
  • Invasiveness.  Utilization of biometrics in some form or fashion usually means the surrender and recording of a person's unique physical characteristics.  If you use a fingerprint scanner, for example, then somewhere within your network is some type of digital representation of  your staffs' fingerprints.  Same for retinal scanners.  Many organizations see the adoption of such tools to be invasive and "overkill" from a security standpoint.
  • Privacy.  With over 35 states having data privacy and security laws, protection of biometric data adds yet another category of data to be secured within the enterprise.  Worse, biometric data may subject organizations to portions of the HIPAA/HITECH regulations that they mighn't have to deal with at present.
  • Rejection/Acceptance Rates.  If you enter your password and token data in correctly, the system will allow you access.  Period.  If you use a biometric device, you are subject to false rejection and denial of access -- or worse (from a security perspective) false acceptance which will allow unauthorized personnel access to your secure data.  While these rates are falling as technologies get better, they are still not at 100% -- which means they run the risk of being labelled as a (a) nuisance or encumberance to operations or (b) ineffective in securing the enerprise.
With these things in mind, let's take a took at the Nymi.

Nymi's use requires it to be on your wrist and active.  Once there, Nymi purports to be able to "continuously" sample your heartrate and provde continuous proximity-based authentication for those systems which require such things (say, for example, your network-based office computers which could automatically lock when you get up from the desk).  Interviews with the CEO (which can be found on their website) discuss how Nymi was buildtutilizing the Privacy by Design framework which emphasizes minimum utilization of personal data and total transparency re: where the data goes...

...but there is no information or discussion around the security of the device and the data.

Without the technical specifications I am only guessing regarding how Nymi actually works...but logic would dictate that it is either (a) transmitting a digitized versious of your heart rate signature or (b) is utilizing your hear rate to authorize the transmittial of a unique "go code" to an authentication device (in other words, Nymi samples your heart rate and determines that it is, indeed, you...at which point it sends a unique authentication key to the device you're attempting to utilize).  Here are the top-of-head questions the Old Security Guy in me has regarding security and utility of the Nymi:
  1. Static Nature of My "Unique Heart Rate."  I'm not a doctor, but I would assume that my heart characteristics now as an overweight 47 year-old man have changed slightly since I was a 22 year-old Lean Mean Fighting Machine.  What specific items are measured to generate this unique signature.  If my heart health changes (cholesterol, etc.), will I be locked out of my own Nymi-enabled devices?  While heart rate and heart beat are different things, I would assume that my heartbeat is one of the variables which goes into my unique signature.  What's the variance and/or tolerance rate of the device in this regard?  If (for example) I set Nymi at my resting heart rate just after I wake up, will I be unable to use it just after a workout when my heart beat is accellerated?  What if I get a pacemaker installed or need heart surgery (as another dear friend of mine is undergoing this week)?  Would those things change my characteristics to the point of needing to reset my Nymi -- and is such a reset possible?
  2. It's All About The Data.  What, specifically, is being transmitted by the Nymi?  Is is compared against a centrally-stored signature or is the authentication done in the local device?  If there is a centralized store of data, then I would want to know how Nymi is protecting that data.  If authentication is done locally in the Nymi device then I would expect that either a static or dynamic "go code" is sent to the authenticating system.  If the code is dynamic (similar, for instance, to the random RSA token), what's the schema used to generate the random code to ensure it can't be spoofed?  If it is static and tied to the individual Nymi device, then how is the code server secured?  (Note:  Nymi speaks often about its use of Bluetooh technology...but Bluetooh technology isn't foolproof or hackproof. :) )
  3. What's the Uplift?  The marketing campaign for Nymi is clearly geared to the consumer...but for this technology to work in as widespread a fashion as described there needs to be acceptance by enterprise-class users such as (for example) payment processors.  Given the highly-regulated nature of that industry (and the heightened level of  concern regarding data security these days), the questions listed in (2) above would have to be answered in meticulous detail before widespread adoption could take place.
Conclusions:  In an era where people are still using weak passwords and changing them infrequently,  convenient biometric solutions make sense; that being said, Nymi's marketing focus on privacy versus security leads me to believe that they mightn't be ready for security prime time just yet.  I would be reluctant to employ Nymi even on my personal devices until I got some answers to some fairly straightforward security questions...

...answers that, as of yet, aren't forthcoming.

My two cents...

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)