UK high-street bank Halifax has announced that it is trialing the use of heartbeat recognition technology as a means of authentication for online banking services.
The process involves the use of the Nymi wristband, a wearable still in the developmental stage. The band has an electrocardiogram (ECG) sensor that can capture the user’s heartbeat data with the touch of a finger. This personal biometric data is then stored in an encrypted form on a companion authorized authentication device (AAD) which has the Nymi app installed.
In the case of the solution which Halifax is trialing, the band pairs with a user’s AAD via Bluetooth. Once the band and banking app have established a connection, the ECG reading of the user is taken by the wristband, and checked against the stored profile.
According to the developer, this three-factor system of authentication “will remain resilient to impersonation as long as at least one factor has not been compromised.” It adds that, “impersonation of another person’s ECD is exceedingly difficult to execute.”
Reacting to the announcement, NetIQ’s senior director Geoff Webb said: “The objective here is to make it as hard as possible for a criminal to impersonate the customer. Heartbeat or ECG scanning would certainly raise the bar in terms of complexity. This is because it requires a ‘live’ participant rather than relying on a static image or imprint which could be more prone to fraud.
“Of course adding complexity can open up other vulnerabilities in the system so, as is always the case, much will depend on the final implementation.”
The announcement from Halifax comes at a time when many organizations are looking for viable alternatives to passwords as a means of authentication. Recent developments have seen behavioral and contextual factors put forward as a possible solution, while Microsoft will bring alternative authentication methods to Windows 10.
However, there is concern that certain biometric technologies, particularly fingerprint scanning, are highly vulnerable to fraud. Back in 2013, Apple’s Touch ID solution was hacked by the Chaos Computer Club using nothing more than a camera, printer and finger-shaped mold.