August 6, 2015 -
The iris and retina aren’t the only useful eye-based biometrics available. The veins in the whites of the eye, the sclera, are extremely unique and can be used to create a unique biometric template.
EyeVerify is a Kansas City, Mo., company whose software is enabling app developers and phone makers to take images of the sclera with regular smartphone cameras to verify the identity of users. EyeVerify’s Eyeprint ID software lets individuals open their mobile devices, logs into an application, or verify a mobile payment just by looking at their phone.
Biometric authentication using existing camera technology
According to Chris Barnett, EyeVerify’s EVP of Global Marketing and Sales, EyeVerify’s solution doesn’t require a specialized device like an infrared-illuminated camera to capture the iris, making it especially attractive for phone makers that want to add security features.
He said, “OEMs have to decide: Do they want to add another camera to the phone and design around its weight and thickness? Or do they just want to have software that just uses the selfie camera?”
Additionally, sclera readings could provide a way for app developers to verify identity across different devices, not just premium smartphones. TouchID on the iPhone, for instance, works for the Apple ecosystem which includes Apple Pay, but many companies can’t rely on their customers to have a specific piece of hardware.
A financial institution’s online banking app, for instance, has to support thousands of different devices, making it important that biometric authentication work with existing hardware.
In February, Eyeprint ID password-free mobile bank account access became available to 800 small and medium sized banks and credit unions through a deal with Digital Insight, a division of NCR financial services, that provides banking technology to institutions that can’t afford to create their own solutions in-house. “Their platform allows any one of them to just push a button and just turn on EyePrint without doing any integration or sign a contract with us. They get it through Digital Insight, pre-integrated and ready to go,” Barnett said.
This technology, which works with most smartphones cameras, is especially relevant for emerging markets. Chinese mobile device maker ZTE incorporated Eyeprint ID into its ZTE Grand S3 smartphone for password-free unlocking earlier this year, and EyeVerify also has partnerships with Chinese phone makers Vivo and TCL. In June, Vodaphone’s Mobile Wallet app in Turkey added EyeVerify technology to make secure mobile payments without requiring a password.
Keeping data securely on the device
Verification employs digital templates which are encoded with mathematical and statistical algorithms, but it also keeps data on the device rather than on an external cloud or traditional server.
“Biometric data never leaves the device. People think the cloud is really secure, but we see every day that there’s an example of an egregious hack of somebody’s files,” “With EyePrint ID, everything is localized. Any particular attack is only affecting one particular phone and one particular person, there’s nowhere else our users’ data is kept – just the one device.”
On the device, the unique sclera patterns are not stored as raw images, but rather as an encrypted template containing around 100 dimensions that contribute meaningfully to the biometric matching process. The software then adds to the template 400 “chaff points” which are garbage data points that are indistinguishable to intruders from the genuine points, effectively hiding the data points that matter.
Furthermore, during authentication the verification template and the enrollment template are matched in the encrypted space without exposing either one. Additionally, it’s extremely difficult to trick Eyeprint ID readings with an image or reproduction of a person’s sclera because it randomly changes camera settings such as focus, exposure, and white balance to look for an appropriate response from a real subject.
Because eye vein patterns change very slowly over time, and software can account for changes due to alcohol consumption or allergies, sclera imaging is a very attractive biometric. And this allows EyeVerify is to generate an encryption key from the eye biometric alone.
“Typically, biometrics can’t do this because it’s slightly different every time,” Barnett said. “This is very unique to us, and comes as a requirement from a lot of our use cases. In order to completely replace the password, we need to generate some kind of token or encryption key and that’s why we can we can be the primary factor in step-up authentication.”
Future implementations and use cases
In the future, Barnett said, solutions like Eyeprint ID will enable a broad range of use cases as phones are used for more and more things, replacing car and house keys, wallets, and identification cards. “People will use their phone as their personal identification and access control tool.”
For now, EyeVeriify is focusing on getting its technology in mobile phones and online banking applications, and Barnett said there will be multiple announcements in these sectors this calendar year.