I read about this interesting new biometrics product, the Nymi bracelet from Bionym the other morning on the train, and at first I thought it sounded like a pretty smart solution to some of the problems with more conventional external biometrics.
But then I started thinking more about this, especially in light of an article I read by Glenn Fleishman about coping with the loss of a second factor device, and I started having doubts.
Lost or Broken Devices
No matter how good these things are, at some point it is likely that your bracelet will stop working or you’ll misplace it. Now you are somewhat stuck, at least until you order a replacement. Perhaps we should all order a couple of these things
Or you leave it at home (assuming that your car is not activated by it, which I think will take a while to catch on). When you get to the office you are locked out of your computer, and perhaps your phone too. So you can’t call anybody to see where you left it, and you can’t get anything done. Other than to head home to retrieve it.
Alternatively, I guess we can keep the option of a password, but then the overall security is still only as good as that password. And if it is not one we use often, chances are pretty good it will need to be written down somewhere or be very simple to remember (and therefore equally simple to guess or crack). At that point the Nymi is providing convenience more than additional security. Also, important not to make the mistake of keeping that password in a password safe app on your phone, since you can’t get in there either without your biometric band…
None of us like to think too much about what happens after we die, but it is inevitable that we will. And at that time our digital existence will likely become a part of our estate. For some things, mainly online services, it will be a relatively simple matter to take control of the assets even if access is controlled via biometric identity – the service can almost certainly switch the ownership as long as the data itself was not being encrypted with the biometric info. But what about your computer, or the hard drive that is encrypted using the biometric key? The key to decrypting them, your heart beat, is gone. So all those files, perhaps family photos & videos etc, are all lost too (assuming the encryption was strong enough to make it hard to brute force attack).
With passwords, as long as you think about it ahead of time and put them in your will (as well as remembering to update them as needed), your executor has access to everything you want to allow them access to.
What about the disgruntled employee who locks up his computer or other files with one of these things, and then quits. Now you have potentially important information locked up and inaccessible unless you can persuade said former-employee to unlock them for you.
OK, you could have policies in place to limit this kind of thing, but especially in smaller companies where there is less policy and more expectation that individuals will get things sorted out on their own, this could become a problem.
Out of Business
While it sounds as though this band doesn’t need any online support to function, you do face the issue of having to switch all the services you authenticate with it to something else should they go out of business – in case the device you have should fail locking you out of your world, and you are unable to order a replacement.
This is probably true of any multi-factor solution, so not really a problem with the Nymi as much as something you need to think about when using something more technically complex than a password to protect your local world. Online services with two factor authentication are less of an issue – not having access to their multi-factor mechanism doesn’t matter if the service your were authenticating into is also gone!
Of course, if biometrics become an accepted component of schemes like OpenID or other services offering third party authentication, then you do have to consider what happens if the provider of your identity goes out of business. Again, that is true even without biometrics if you use a third party to provide your identity for a service and they go out of business.
Here’s the thing… I am very tempted by it for the convenience. I have never liked more conventional biometrics because they always scared me a little. Perhaps those fears are unfounded, after all, what do I have access to that anybody would want badly enough to cut off/out parts of my body, or even to try to replicate. But they are there.
This is not something that could be removed from my body; that makes it a biometric solution I could live with. All I need to do is make sure I use it wisely and don’t use it to lock up anything I might one day want somebody else to be able to access easily…