Kill the password. And the PIN. And the car key. by David Z. Morris @FortuneMagazine May 1, 2014, 7:34 PM EDT E-mail Tweet Facebook Google Plus Linkedin Share icons Bionym’s Nymi uses a person’s cardiac rhythm to authenticate them. FORTUNE — “We’re living in a crazy world,” Karl Martin says, “where, to prove who we are to our computers, we have to remember a long string of letters and numbers.” Martin, the chief executive of the biometric identity startup Bionym, is only half right. I’m sure I’m not the only one who has given up actually remembering my passwords and outsourced the job to a password manager. (Current tally: 112 separate strings of letters and numbers.) Experts agree that the only reliable way to secure a password is to memorize it so there is no record. But, really. Come on. Bionym is hoping to shape a more sensible and intuitive way of proving your identity to devices, databases, and financial instruments. In the fall, Bionym will release the Nymi, a wristband that replaces conventional passwords with a reading of a person’s electrocardiogram pattern. But Bionym is dreaming bigger. One day, the Nymi could turn out the lights when you leave the house, lock the front door, start your car with a gesture, help a restaurant remember your name, then let you pay for your meal — all with empty pockets. The Nymi has competition for the role in that future scenario. One contender is a small black fob called the AxisKey, made by Palm Beach Gardens, Fla.-based Sonavation, that uses ultrasound to authenticate a person. The device is expected to go on sale in mid-June. MORE: It’s time for corporate boards to tackle cybersecurity. Here’s why Nymi and AxisKey are introducing new biometric identity technology just as old solutions have reached their breaking point, and each offers a different mix of flexibility, persistence, and security. How (and whether) these sorts of solutions catch on with everyday users could have a more profound impact on the much-hyped “Internet of Things” than all the smart refrigerators and thermostats in the world. Both products are touted as more secure than their existing competition in the consumer market — namely, the nearly 90 million iPhone 5s handsets that come with a fingerprint sensor. The iPhone’s scanner was famously spoofed within days of its release by Marc Rogers of Lookout Mobile Security, who lifted a print directly from the screen of the phone he cracked. Bob Stewart, chief product officer for Sonavation, says that beating that sort of system will only get easier. “You leave your fingerprints everywhere,” he says. “That’s spycraft 101.” AxisKey is superficially a fingerprint scanner, but its sonar-based technology makes it a whole different animal. It reads not just the surface of fingerprint ridges, but the three-dimensional contours below them, and even the shape and motion of blood vessels beneath the surface of your fingertips. It maps all of this data, then confirms identity when a user swipes a finger or two. (You can watch a surreal fly-by of a fingerprint scanned by Sonavation here.) Nymi’s ECG-based system is more novel, but it has deep roots — doctors have known for decades that each person’s heart emits an electrical pattern at least as unique as a fingerprint. Martin and co-founder Foteini Agrafioti, then doctoral students at the University of Toronto, spent six years creating an analytic algorithm to separate that signal from the noise of variations like exertion, agitation, and caffeination. “This is sort of the secret sauce in [the Nymi’s identification] algorithm,” Martin says. (Agrafioti is no longer affiliated with Bionym.) MORE: For crowdsourced security startup, a carrot and a hack Nymi’s usability and success will depend a lot on how good that algorithm is. Alan Kaplan, a research engineer at Lawrence Livermore National Laboratory, has published several studies examining ECG recognition. But even after extensive refinement of his own analytic algorithm, Kaplan’s research found a 6 to 7% rate of false negatives in matching the ECG patterns of individuals in different states, such as after exercise, or even just across a long time-span. “These error rates are what you have to live with,” Kaplan says. That could end in aggravation for users, or require backdoors that would defeat the integrity of the whole system. Bionym is hoping to overcome that challenge in a few ways. The Nymi will scan a person’s ECG only when it is worn on the wrist, likely most often in the morning when they are calm and rested. During the scan it will connect with a mobile device and use three-factor security to do so. To pose as a Nymi user, according to Martin, an attacker would need to “steal your wristband, and then steal your phone, and then they need to have a false positive [matching ECG pattern].” And as Livermore’s Alan Kaplan points out, “An ECG is very difficult to counterfeit.” Other security risks are sure to emerge, though, at the many points where identity systems connect and share data with other systems. Both the Nymi and AxisKey only store a person’s biometric data locally on the device, under heavy encryption. Nymi is going a step further by making its product open-source and challenging white-hat hackers to have a go at it. “If someone finds a flaw, we can address it right away.” (Marc Rogers, who defeated the iPhone 5s sensor, has already signed up to get a Nymi on release.) The success of these systems will depend at least as much on usability and integration as on superior security. So far, that has been another major failing of the iPhone 5s scanner — its only current use is to unlock iPhones and confirm purchases within Apple AAPL environments. MORE: New cyber-threats that go bump in the night By contrast, both Bionym and Sonavation are aggressively pursuing partnerships, hoping to build entire ecosystems with their devices at the core. Both companies are working with the Fast Identity Online Alliance, or FIDO, which is working to set standards for non-password authentication with support from PayPal EBAY and Google GOOG . Bionym is in talks with airlines hoping to provide smoother passenger experiences, as well as with auto manufacturers. Sonavation is partnering with ATM manufacturers; HID Global, who makes high-security systems for clients like banks; and RSA, who makes the grey random-number-generating fobs used by high-clearance government contractors. That contrast in each company’s partners points to their different target customers — everyday consumers for Bionym, higher-end enterprises (and high net-worth individuals) for Sonavation — and the different uses for each technology: While AxisKey’s discrete key-like function is fine for locks and logons, Nymi’s always-on identity offers entirely new uses oriented to convenience and personalization. “The other biometrics are really transactional in nature,” Bionym’s Martin says. “There’s no persistence to that trust.” Persistence will let the Nymi key in to ambient smart home controls and tailor consumer and hospitality experiences. The Nymi will also support gesture-based interactions, allowing users to communicate their desires to devices more clearly, such as by twisting their wrist to start a car, or to distinguish between locking and unlocking a door. Add to that the Nymi’s more stylish design and its commitment to open source, and it’s easy to pick it as the device poised to capture the imagination (and dollars) of Google Glass-wearing early adopters. That is, of course, if Bionym can overcome the variability issues with ECG verification. But AxisKey is only a first step for Sonavation, which is producing the keyfob as it transitions from government and defense markets — to which it was prepared to sell about a million of its sonar-scanning chips a month — to working with mobile device manufacturers, which have said they’d need more than 10 times that to serve the broader market. (Sonavation’s Stewart says that when he first heard the numbers in a meeting with a phone manufacturer, “I had to pick my jaw up off the floor.”) In the future, we may find ourselves using a variety of biometric solutions to secure our identity. Will they make life more comfortable and seamless? We’ll find out. Whatever the case, I’ll take it over my 112 passwords.