SensiPass reinvents the knowledge factor to offer three-factor authentication
Knowledge-based authentication is blamed for many data breaches, and the weakness of traditional KBA systems has been one of the driving forces behind the growth of biometrics in recent years. Two-factor authentication is increasingly used, and particularly the combination of biometrics and tokens are integrated in an effort to enhance security.
SensiPass began working on innovating the knowledge factor to make logging in easier for people with dyslexia. CEO Mike Hill told Biometric Update in an interview that he founded the company based on patents he filed in 2011, which he notes is even before he started hearing people talk about “killing the password.”
“There’s nothing exciting out there. People think they’re going to kill the password, but I don’t know a single system that has no passwords involved with it,” he says. The inclusion of a password generally means that a biometric control can be bypassed, and the entire system is vulnerable.
The knowledge factor is, in and of itself, not really the problem anyway, according to Hill. The password, rather, is an obsolete form of the factor, which causes numerous problems. Even beyond security, alphanumeric passwords are inconvenient for people with dyslexia, and the world’s many illiterate people, and is often resented by those who do not normally use the Roman alphabet.
“Instead of throwing it out the knowledge factor all-together, we made it an interactive knowledge factor, and provided it in such a way that people can decide what they want to interact with, and their best mode of interaction,” Hill explains.
In one example, Hill describes using the SensiPass platform to take a biometric selfie. The user can then draw a figure on the selfie, and SensiPass normalizes the data to enable it to be compared to the enrolled figure. The company has also developed algorithms to apply the same principle to voice biometrics. The user can receive an audio prompt, and give a response which is measured both for biometric and knowledge data. Hill says the architecture is flexible enough to be applied to any biometric, in the way that makes sense for the given application.
“Give them something they can relate to,” he says. “Make it something that humans can relate to, that blind people, that deaf people can relate to, that everybody has a chance to use, and that’s the most human thing we have to prove our identity, and that’s how we interact. It’s something you keep in your head. You write it down and it’s a token, but this isn’t that easy to write down.”
Hill believes getting users to perform interactions such as drawing on a selfie will be an easy sell, and backs that view up with an example: “Snapchat is an application that enables users to draw on their selfies as a means of social expression. SensiPass enables users to draw on their selfies as a means to prove their identity.”
The security advantages of SensiPass’ knowledge factor go beyond what Hill characterizes as the tokenization of passwords, as well. The interaction between the different factors, and the fusion of their results, which drastically reduces false positives, is what separates it, he says.
“We turned it into one simple, elegant solution where the interaction can augment or it essentially modulates the biometric data,” Hill explains. “If someone manages to steal a face off of a database, it doesn’t matter. You’ll never be able to use it with Sensipass. You can’t do replay attacks with out product because it rejects an exact match because all three factors are dynamic.”
With these advantages, SensiPass will target the OEM market, and Hill notes that with the technology small enough to fit in a tiny corner of the OS chip, it can be embedded as a native capability in devices such as AR helmets. The company has been recognized by Citibank as a global finalist in the Tech4Integrity Challenge, and as the cybersecurity award winner for Deloitte’s Fast 50, and is now attempting to convert that momentum into revenue. While the company is based in Ireland, Hill has been in Washington talking with investors, federal agencies, and large-scale partners who he says understand the problem, and how to serve the technology to the right buyers.
“A stronger authentication should be applied to the heavy risks and heaviest exposures, which are critical infrastructure, energy, communications, defense, and they’re frustrated with the solutions they have right now and they’re looking for new solutions,” he says.
Hill also says this makes him bullish for SensiPass’ sales prospects in 2019. From there, he hopes the U.S. government market will act as a proving ground for the company’s technology.
With NIST clearly defining three factors, Hill expresses disbelief that two-factor authentication is so widely accepted as sufficient. Innovating the knowledge factor to make it a kind of interactive liveness test holds the promise articulated in the company’s slogan, that it “authenticates people, not just credentials.”