Keyless execs tout privacy protections of combined FIDO and server-side biometrics
Decentralization and novel encryption methods are coming to the rescue of privacy-preserving biometric authentication, Keyless executives Paolo Gasti and Gal Steinberg suggested during a recent Biometric Update webinar.
Authentication processes have traditionally operated on a server in the cloud, or on the user’s own device, with each approach introducing its own drawbacks. Server-based authentication raises the possibility of data misuse or breaches, while device-based authentication poses problems around what happens if a device is lost or stolen, and how to prove the identity of the person behind the device.
Keyless’ approach to privacy-enhancing biometrics is based on the storage of encrypted biometric data held on a server, that can only be decrypted with a request which is locally processed, attendees of ‘One selfie to rule them all’ heard. This gives Keyless the only authentication method certified by FIDO, while incorporating the strengths of server-side processing, such as account recovery.
Steinberg delved into how distributed biometrics can help consumer-facing organizations authenticate their customers, and their potential applications for passwordless employee authentication and sign-ins to shared workspaces like POS devices.
Gasti explained how Keyless uses proprietary protocols to provide selfie biometrics with passive liveness checks to generate zero-knowledge proofs.
“Usually, in a traditional system, you would have to decrypt this data, compute some distance functions, see whether the two or close enough or not, and come to a decision,” he explains. “This would imply that this data is exposed to the service that is performing this matching. We at Keyless started our journey exactly to prevent this, to avoid this issue. The way in which we achieve this is by using a protocol, by using a system, that allows us to compare data without the need to decrypt it.”
The highly-engaged audience posed a series of questions around how Keyless protects against injection attacks, cross-platform interoperability, and how it can be used in systems for compliant payments and other applications.
During the discussion, Keyless tipped a future product release, and how far the elimination of passwords can go.