Independent analysis shows robust security of FaceTec’s biometric UR Codes

FaceTec’s UR Code protocol, which provides digitally-signed biometric barcodes, has aced a cybersecurity assessment from independent evaluator Praetorian Security Inc.

Praetorian performed a rigorous reverse engineering analysis of the UR Code SDK, and found no risk issues in any of its “critical,” “informational,” “low,” “medium,” or “high” categories. The evaluation focused on identifying internal hashing mechanisms, encryption keys and customer PII, according to the company announcement.

A “risk-informed security assessment” found one informational issue with the security of the cryptographic operations, which is that “Issuing Authorities need to ensure they are using the correct OpenSSL commands when generating their own Private Keys.” One medium issue in the stability of the UR Codes APIs, “a library crash when a malformed call to UR Codes Verification was sent for a Multi-Face UR Code,” was observed, but was addressed by FaceTec and validated by Praetorian prior to the end of the engagement. The functionality of the URID created was also found to have one low issue, but this too was fixed by FaceTec and validated by Praetorian.

The security evaluations also included tests of measures to protect against robust code obfuscation, like dead code insertion, control flow flattening, and variable, class, and function renaming.

The UR Encoder software that generates UR Codes runs behind issuing authorities’ firewall, FaceTec notes, and face data encoded cannot be reverse engineered into an image of the person’s face. The company says the privacy protections and biometric security provided by UR Codes is similar to that of biometric passports, with usability and durability advantages and lower cost than NFC chips.

UR Codes are presented in universal QR format to support scanning with any smart device or webcam.

FaceTec has launched both the free Scan+Match apps for UR Codes and the UR Encoder for issuers so far this year.

The company has also hired multiple veterans of public sector organizations as it brings the 3D face verification and digital identity software to market.

Article Topics

biometrics  |  cybersecurity  |  digital ID  |  FaceTec  |  Praetorian Security  |  QR code  |  UR Codes