Yoti files patent to encrypt browser identity verification for enhanced security

London-based digital identity firm Yoti has filed a patent in the UK for a novel way to counter the loopholes that can allow injection attacks in web browsers during identity verification with biometrics and other data. The new SICAP (Secure Image Capture) product not only obfuscates the code being sent, an approach used by other providers, but adds a cryptographic signature key to the code being sent to increase security by a significant magnitude.

“You can picture this as trying to find a key in the ocean – pretty difficult – but also that key gives you access to an ever-changing maze,” Yoti’s CTO Paco Garcia tells Biometric Update in an interview. “So once you find the key, the whole game changes. We can also configure how quickly that maze changes: every few days, every few hours, every few minutes.”

Customers are showing a preference for the straightforward approach of passive liveness detection tests when proving their ID: “People want an experience closer to taking a selfie – very quick,” says Garcia. This is instead of going through more steps – and more friction – for the more secure active liveness format. Yoti believes their solution which provides allows to simpler passive-like process to be far more secure than at present could be of interest to a wide range of online providers.

Hackers use injection attacks to insert their code into an IT system as it sends or receives data, allowing the bad actor to either intercept data or send incorrect data. Native applications on Android or iOS can incorporate tools which can detect injection attacks, while web browsers have been vulnerable to such attacks in identity verification.

Obfuscation, where either selected modules of data are altered, or the whole payload, via encryption or other manipulation has been one way to try to outsmart hackers. The level of obfuscation is configurable, so those companies that need a higher level of assurance can choose a higher level of obfuscation.

“Or you could have an age-verification site and they want to do these checks very quickly and they’re not bothered if typically one in a million people goes through,” says Garcia.

Hackers find ways to reverse-engineer obfuscated data. So Yoti’s approach to add an entire extra layer with a cryptographic signature means hackers would have to reverse engineer the obfuscation and infer the cryptographic signature key. And the key can keep changing. So by the time a hacker manages to reverse engineer the obfuscation, the key has moved on – the ever-changing hidden maze.

Integration is via an SDK with JavaScript library which the web application would reference to ensure the secure capture of images whether the images are biometrics, ID documents or any type of document.

Users would not notice any of the changes going on under the hood, although Garcia acknowledges It is a heavy process as it involves cryptography and potentially heavy in terms of data, depending on whether a low-resolution image would suffice or a 1080p web cam photo is needed, for example if OCR has to be conducted.

“The commercial interest has been there for a while,” says Garcia. “This is an unresolved issue when using passive liveness in web browsers. Until this gets resolved, we’re not going to see high level of assurance passive anti-spoofing systems going on browsers, so this really is an enabler.”

Businesses which already have passive liveness in native applications but also have a web platform are showing interest. Yoti says those include online gaming and social media platforms, not just very high security financial sector firms.

Article Topics

biometric liveness detection  |  biometrics  |  cryptography  |  digital identity  |  face biometrics  |  identity verification  |  injection attacks  |  passive facial liveness  |  patents  |  research and development  |  SDK  |  Yoti