Keyless opens doors for software biometrics with FIDO2 certification, says co-founder
Months after Keyless became the first company to earn certificates for compliance with FIDO2 and FIDO Biometric Component standards for its biometric security platform, executives at the company tell Biometric Update the two developments show that software developers can also enter the biometrics field and shed their reliance on local authentication technology while remaining secure.
Gal Steinberg, VP of product at Keyless, says beyond being the first vendor to be certified for both FIDO2 and FIDO Biometric standards, the achievement demonstrates a stamp of approval from FIDO that they are the first FIDO2 compliant biometric solution that does not perform biometric authentication locally, but on a distributed network operated by Keyless.
“This means that FIDO sees in our technology a technology that is as secure as local authentication, but can provide some solution to the gaps that maybe FIDO2 has around back up and recovery, and multiple devices and so on,” Steinberg says. “It is the first time FIDO is certifying a biometric vendor that doesn’t do local authentication. It is certifying it because the unique way we do it doesn’t compromise on security and piracy,” he adds.
Paolo Gasti, CTO and co-founder of Keyless, notes the significance of FIDO’s privacy guarantees, and how they emphasize the local storage of biometrics. But he says it carries restrictions for multiple devices that require enrolling in each, or no back-ups. “With Keyless, we are the only ones with this kind of technology that merges the privacy properties of a fully local biometric system with the features you would have on a system that stores the biometric outside of the device,” he says.
The Keyless biometric platform allows users to authenticate their identity with a cloud-based multi-factor check via facial authentication with liveness detection. The company claims that it is device-independent and system-agnostic, therefore it does not require local authentication technology embedded into the hardware of devices. Keyless uses secure multi-party computation, a type of advanced cryptography, to process authentication requests in a distributed cloud environment. Personally identifiable information like encrypted biometric templates are not stored on the device or servers, which minimizes risks of being compromised, lost or stolen in a data breach, leak or hack, the company says. Users of Keyless create a universal biometric profile that they can share across many devices and accounts, which prevents shared users or bad actors from intruding on local device security with fraudulent biometrics.
Keyless points to problems with scalability, inconsistent UX and security, low identity assurance, and associated cost issues in local authentication technology. With an example of how Keyless seeks to rectify the user experience, Steinberg says with Keyless, all users get the same user experience regardless of device or biometric option. And the biometric template with Keyless can be recovered and protected, while losing your device which stores the biometric template will result in the biometric template being lost as well.
Gasti comments that Keyless represents a departure from previous solutions based on purely local biometrics and local hardware, and shows that the industry can have secure, private biometric systems that are as private as the current FIDO certified system. “The signal to the market is that with what was not considered feasible in the past is now something that can be done. This is just one validation of our underlying technology; one strong signal to what we can do with biometrics and cryptographic technology. We think it is a great validation of our path and our architecture for this.”
He further says that the industry widely viewed Keyless’ techniques as inapplicable to phones due to batteries and limited CPU power. “Phones today are fast, but they aren’t supercomputers,” he remarks. But with Keyless, Gasti claims that phones can be secured and authenticate users within hundreds of milliseconds.
“Now that this exists, it opens up a lot of doors. Before our technology existed, there was simply no way to do what we are doing,” Gasti says. He says it is an evolution of strong privacy for biometrics and interoperability, and it is “natural” that the two ideas converged. Gasti admits Keyless is likely not the first firm to conceive of the idea, but says there is no other vendor that can offer anything at the level the company offers, due to the complexity and uniqueness of the issue. “The fact that no other vendor is offering the same thing is a testament to the fact that this was considered impossible. This is still considered quite hard, no one has been able to crack it other than us, to my knowledge, as of today.”