比指纹识别更保险的技术面世 用心电图当密码或将普及

    “我们生活在一个疯狂的世界里，”卡尔•马丁说。“在这个世界里，为了向我们的电脑证明我们是谁，我们必须得记住一长串字母和数字。”

    卡尔•马丁是生物体征辨识技术创业公司Bionym的CEO。不过他这句话只说对了一半。我敢肯定，我并不是唯一一个被密码搞得焦头烂额，只好把这项工作外包给密码管家的人。（目前我的密码管家里一共记载了112个不同用途的密码。）专家们认为唯一稳妥的保护密码的方式就是把它牢牢记在心里，不留下任何文字记录。但问题是谁能记得住这么多密码呢？

    Bionym公司致力于提供一种更加简明直观的方式来向你的数码设备、数据库和金融工具证明你的身份。今年秋天，这家公司将推出一款名叫Nymi的智能腕带，它能通过验证一个人的心电图特征来取代传统的密码。

    Bionym公司的野心还远远不止如此。未来的某一天，Nymi腕带的功能将更加强大。你离开家门的时候，它会自动关掉屋子的灯，锁好屋门；你做一个手势，车子就会自动启动。另外，它还能让餐馆自动记住你的名字，然后自动帮你付账——也就是说到时候钥匙、钱包、信用卡什么的，统统不必带在身上。

    但Nymi在身份认证领域也不乏竞争者。比如佛罗里达州棕榈滩花园的Sonavation公司就推出了一款叫做AxisKey的黑色腕带，可以利用超声波来确定一个人的身份信息。这款设备有望于今年六月中旬上市。

    随着科技的发展，旧有的身份识别技术已经发展到了盛极转衰的拐点。此时，Nymi和AxisKey为我们带来了新的生物体征辨识技术。而且，二者各自展示了自己特有的灵活性、持久性和安全性特点。这些解决方案能否获得日常用户的青睐？这个问题将对时下炒得火热的“物联网”产生极为深远的影响，它的重要性甚至远远超过所谓的智能冰箱和恒温控制器。

    这两款腕带的安全性据说都要超过市场上的同类竞争产品——说白了就是市面上的近9000万部带有指纹识别功能的iPhone 5S手机。Look Mobile Security公司的安全专家马克•罗杰斯曾经因成功破解了iPhone 5S的指纹识别功能而名噪一时，他使用的就是从手机屏幕上直接提取的指纹。Sonavation公司产品总监鲍伯•斯图瓦特表示，打败像iPhone 5S这样的身份识别系统只会变得越来越简单。他说：“人们几乎到处都会留下指纹，这已经是人人皆知的间谍伎俩了。”

    AxisKey从表面上看也是一部指纹扫描仪，但它所具备的独特的声纳技术将它推上了另一层高度。它不仅仅可以扫描指纹的表面纹路，还可以扫描它的3D轮廓，甚至是你指尖表皮下的血管的形状和运动情况。用户只需划动一两根手指，它就可以立即扫描所有相关信息，确定一个人的身份。

    Nymi的心电图身份识别技术则更加新奇，但它也有着深厚的理论基础。早在几十年前，医生们就发现每个人的心电特征都像指纹一样独一无二。于是，当时还是多伦多大学（the University of Toronto）医学系学生的马丁和另一位共同创始人弗特伊尼•亚格拉费欧蒂花了六年时间，建立了一种分析算法，分离过劳、心躁和咖啡因反应等变量导致的噪音。马丁说：“它可以说是Nymi验证算法的秘密武器。”（现在亚格拉费欧蒂已经与Bionym公司分道扬镳了。）

    Nymi的可用性和成功与否很大程度上将取决于其算法的优良程度。劳伦斯利物莫国家实验室（Lawrence Livermore National Laboratory）的研究工程师艾伦•卡普兰已经发表了好几篇检验心电识别技术的研究论文。不过即便在对自己的分析算法做了大量改进之后，卡普兰的研究还是发现，自己的算法在识别人们在不同状态下的心电数据时会有6%到7%的漏报率，比如在运动后，或者仅仅是过了一段比较长的时间。对此，卡普兰说：“这种漏报率是我们不得不忍受的，它可能随着用户群的增加而得以消弥，也可能需要系统留一个后门，但后者无疑会损害整个系统的诚信。”

    Bionym公司希望用几种方式解决这一挑战。首先，只有用户把Nymi腕带佩戴到手腕上的时候，它才能检测用户的心电图数据，而这一般都是在早上，也就是用户得到了良好的休息且心情平静的时候。在扫描的过程中，Nymi腕带会与一款移动设备进行连接，然后采用三因素认证法进行识别。马丁表示，犯罪分子要想伪装成一名Nymi的用户，就必须“偷到你的腕带，然后偷到你的手机，然后还得恰好赶上心电图扫描出现误报。”劳伦斯利物莫实验试的艾伦•卡普兰也说：“心电图是非常难以伪造的。”

    "We're living in a crazy world," Karl Martin says, "where, to prove who we are to our computers, we have to remember a long string of letters and numbers."

    Martin, the chief executive of the biometric identity startup Bionym, is only half right. I'm sure I'm not the only one who has given up actually remembering my passwords and outsourced the job to a password manager. (Current tally: 112 separate strings of letters and numbers.) Experts agree that the only reliable way to secure a password is to memorize it so there is no record. But, really. Come on.

    Bionym is hoping to shape a more sensible and intuitive way of proving your identity to devices, databases, and financial instruments. In the fall, Bionym will release the Nymi, a wristband that replaces conventional passwords with a reading of a person's electrocardiogram pattern.

    But Bionym is dreaming bigger. One day, the Nymi could turn out the lights when you leave the house, lock the front door, start your car with a gesture, help a restaurant remember your name, then let youbiometric identity pay for your meal -- all with empty pockets.

    The Nymi has competition for the role in that future scenario. One contender is a small black fob called the AxisKey, made by Palm Beach Gardens, Fla.-based Sonavation, that uses ultrasound to authenticate a person. The device is expected to go on sale in mid-June.

    Nymi and AxisKey are introducing new biometric identity technology just as old solutions have reached their breaking point, and each offers a different mix of flexibility, persistence, and security. How (and whether) these sorts of solutions catch on with everyday users could have a more profound impact on the much-hyped "Internet of Things" than all the smart refrigerators and thermostats in the world.

    Both products are touted as more secure than their existing competition in the consumer market -- namely, the nearly 90 million iPhone 5s handsets that come with a fingerprint sensor. The iPhone's scanner was famously spoofed within days of its release by Marc Rogers of Lookout Mobile Security, who lifted a print directly from the screen of the phone he cracked. Bob Stewart, chief product officer for Sonavation, says that beating that sort of system will only get easier. "You leave your fingerprints everywhere," he says. "That's spycraft 101."

    AxisKey is superficially a fingerprint scanner, but its sonar-based technology makes it a whole different animal. It reads not just the surface of fingerprint ridges, but the three-dimensional contours below them, and even the shape and motion of blood vessels beneath the surface of your fingertips. It maps all of this data, then confirms identity when a user swipes a finger or two. (You can watch a surreal fly-by of a fingerprint scanned by Sonavation here.)

    Nymi's ECG-based system is more novel, but it has deep roots -- doctors have known for decades that each person's heart emits an electrical pattern at least as unique as a fingerprint. Martin and co-founder FoteiniAgrafioti, then doctoral students at the University of Toronto, spent six years creating an analytic algorithm to separate that signal from the noise of variations like exertion, agitation, and caffeination. "This is sort of the secret sauce in [the Nymi's identification] algorithm," Martin says. (Agrafioti is no longer affiliated with Bionym.)

    Nymi's usability and success will depend a lot on how good that algorithm is. Alan Kaplan, a research engineer at Lawrence Livermore National Laboratory, has published several studies examining ECG recognition. But even after extensive refinement of his own analytic algorithm, Kaplan's research found a 6 to 7% rate of false negatives in matching the ECG patterns of individuals in different states, such as after exercise, or even just across a long time-span. "These error rates are what you have to live with," Kaplan says. That could end in aggravation for users, or require backdoors that would defeat the integrity of the whole system.

    Bionym is hoping to overcome that challenge in a few ways. The Nymi will scan a person's ECG only when it is worn on the wrist, likely most often in the morning when they are calm and rested. During the scan it will connect with a mobile device and use three-factor security to do so. To pose as a Nymi user, according to Martin, an attacker would need to "steal your wristband, and then steal your phone, and then they need to have a false positive [matching ECG pattern]." And as Livermore's Alan Kaplan points out, "An ECG is very difficult to counterfeit."