Nymi & PingID: Exploring a Confluence of Authentication Trends

March 8, 2016

Authentication technologies and models are not standing still. Several exciting trends in the space are promising to completely revolutionize how enterprise employees, customers and consumers are authenticated.


Let's take a look at some of these trends:


  • Local: The validation of some credential is performed on the client, versus on the server (e.g., a password validated by a web site versus a PIN that unlocks a phone).
  • Biometrics: Traditionally referred to as a 'something you are' authentication factor, this is verification of some inherent physical characteristic of the user against a previously established template.
  • Continuous: Minimization of the frequency with which we expect users to explicitly sign on, and instead rely on invisible and passive collection and comparison of security tokens or signals as the means of authenticating them.
  • Mobile: Relying on a user's access to and control of a mobile communication channel as a way to authenticate them. This has historically been done in the form of one-time passcodes (OTPs) sent to the user via SMS. But security limitations have led to the emergence of models that rely on the push notification services of Apple and Google--and on specialized applications on the phone.


These trends all either complement or enable each other in some way. Here's what we mean:


  1. Many of the privacy risks associated with biometric authentication can be mitigated by comparing the measurement to the template locally (the model standardized by the FIDO Alliance).
  2. Mobile devices are adding support for biometric hardware (e.g. iPhone's TouchID sensor and similar fingerprint scanners in Samsung and HTC phones).
  3. When combined with geolocation or velocity checks, mobile application solutions like PingID can enable passive (and theoretically) continuous validation of user identity.


Ping recently worked with Canadian company Nymi™ to demonstrate an integration that ties together all of the above authentication trends. The Nymi Band™ measures the ECG from its user's wrist, and with the help of a companion app on a nearby phone, compares the measurement to a previously established template for that user's ECG.

Biometrics? Check. Local? Check.


Now, the dual challenge of local authentication, whether biometric or otherwise, is a) how the server prompts or challenges the client to perform a local authentication, and b) how to communicate the fact of that authentication back up to the server. Why? Because the associated identity attributes and policies sit at the server.

The FIDO Alliance--of which Nymi and Ping are sponsor members--offers UAF and U2F protocols that feature one model for addressing this challenge. If the local authentication (possibly biometric) is successful, then a private key is made available to sign a challenge issued by the authentication server.

The default FIDO model presumes that the authentication challenge issued by the server is delivered to the client via the application channel, by which the user interacts with the application on the server. But many authentication schemes rely on a separate mobile authentication channel distinct from the application channel as a means of interacting with users and their devices. These authentication schemes provide a mechanism that's different from default FIDO model, by which the server can both initiate a local authentication on a client and be subsequently informed of the user's successful local authentication.

In the Ping/Nymi Band PoC, this mobile authentication channel is enabled by PingID. When the authentication server decides to have the user authenticate via that separate mobile channel, a notification is sent through a push service to launch the PingID app on the device.

Mobile? Check.

The last item on the checklist is continuous authentication, which is provided by the Nymi Band. Once the user authenticates to the band via their ECG, a secure session is established with the Nymi companion app. Until that session expires, or the user removes the band and interrupts its continuity circuit, the user doesn't need to explicitly authenticate again.

Continuous? Check.

So let's see how everything fits together. Here's a visual of the authentication flow with some details on the steps of what's happening, based on a typical day at the office:



  1. The user shows up to work and authenticates to the Nymi Band, starting a continuous authentication session.
  2. Later, the user accesses an application in a browser on their workstation (PingFederate acts as the IdP and authenticates the user via password against AD).
  3. Based on policy, PingFederate asks PingID to authenticate the user via their registered mobile device.
  4. PingID sends a push notification to the user's phone.
  5. Through its integration of the Nymi SDK, the PingID app can learn from the Nymi Band that the user is present and authenticated without the user needing to perform any actions.
  6. PingID reports that the user was successfully authenticated via the Nymi Band.
  7. PingID reports back to PingFederate that the mobile authentication was successful.
  8. The user is given appropriate access to the application, now successfully authenticated by:
    • password
    • possession (+optional location) of the phone
    • proximity of the phone
    • possession of the band
    • the biometric of the ECG



Ping's future vision for adaptive authentication is one where usability doesn't need to be sacrificed for security. Explicit user sign-ons will become the exception rather than the norm where, for instance, a password becomes a step-up authentication and not the default. Leveraging the capabilities of devices for privacy-respecting biometric authentication, as standardized by FIDO and implemented through the Nymi Band, will certainly help make that future a reality.