Norway testing homomorphic encryption with Mobai for biometric template protection

Norwegian banks reported losses of 930 million Norwegian crowns (US$92.7 million) related to financial fraud in 2023 and the problem has only become worse with the arrival of AI tools that automate the work of fraudsters. To increase identity protection, the Scandinavian nation is currently examining Mobai’s homomorphic encryption for protecting biometric templates used in the country’s banking industry.

A spin-off of Norwegian University of Science and Technology (NTNU), the company has been working on strengthening face biometrics systems’ security for Norwegian banks since 2021. Earlier this year, the Norwegian Data Protection Authority (NDPA) published a report exploring Mobai’s technology as well as key legal and privacy challenges related to the use of technologies that protect face biometrics templates.

Mobai and the NDPA presented their work at a webinar on Wednesday organized by the European Association for Biometrics (EAB).

The facial biometrics company has developed the template protection technology as a strong digital face verification method that reduces the risk of identity theft of digital accounts and biometric data. Mobai is calling the biometric verification and encryption solution SALT.

Homomorphic encryption allows computations to be performed on encrypted data without first having to decrypt the data. An advantage is that it allows analyzing sensitive data without compromising privacy. The technology doesn’t expose data but still allows the bank to do an identity proofing in an online session using data from a national identity document such as a passport.

The cryptography works in the following way: The bank collects a selfie image of a customer and the image is processed into a biometric template and encrypted. The encrypted data is used to perform a match with the ID document. The bank is the only entity that can decrypt the decision and thereby authenticate the user, explains Petter Taugbøl, vice president of business development at Mobai.

“In practical terms, this means that a third party, typically a cloud provider, can process sensitive data without ever seeing the underlying data and produce results which they don’t have access to either,” he says.

The project is funded by the Research Council of Norway and involves electronic identity system BankID and one of Norwegian largest savings banks Sparebank1 Østlandet as industry partners. KU Leuven joined as an academic partner.

An important objective has been to analyze whether new and enhanced privacy technologies could change what are acceptable methods for privacy protection, from a legal perspective,  Taugbøl explains.

“By transforming biometric data into encrypted templates could we kind of de-risk or reclassify biometric data in the legal sense from sensitive personal data to maybe personal data, and thereby enable the use of face recognition on a different legal basis?” he says.

As a sub-vendor to the eID provider, Mobai tested its technology as part of a Regulatory Sandbox, designed for exploring issues where there are few legal precedents. The project started in May 2023, and the report launched in January of 2025.

“This has been a long project, and the reasoning for that is that these kinds of projects are challenging,” says NDPA’s Special Advisor, Eirik Guldbransen.

The project should solve a very real world problem. Banks usually require customers to come to physical offices where they take their photo which is then compared with an image in their national ID document.

A similar solution is implemented in mobile banking where customers take a selfie image though their smartphone and then provide a scan of their passport, according to Dag-Arne Hoberg, senior project manager at Sparebank1 Østlandet.

Mobai is arguing that performing biometric processing solely on devices such as personal computers or mobile phones presents security challenges. Many ID solutions confirm access to the device rather than actually identifying the physical person, adds Guldbransen.

“Biometrics can be copied and stolen,” he says. “That is something that we need to acknowledge and we should acknowledge that we need to perhaps look at better solutions than we have today.”

Given the computational demands of homomorphic encryption, Mobai believes that centralized processing is best for ensuring trustworthy face matching results. In contrast, a decentralized approach would leave service providers, like BankID, reliant on platform owners’ security measures.

Mobai and the NPDA have identified the next key questions that the agency will have to tackle: Assessing the legal status of facial images and protected templates in an AI-based solution for verification and the technical security measures for storing protected templates that would be used by the AI and facial images for training purposes. This month, the company won an additional US$1.2 million grant to research new methods for secure credential binding in digital wallets.

More work also needs to be done in other areas, according to webinar participants.

“The solution to fraud is complex, requiring information sharing, eID solutions, biometric technology, fraud detection systems and general increased understanding in society to prevent fraud attempts,” says Hoberg.

Template protection requirements are built into the EU’s GDPR, and the topic has caught the interest of diverse parties from humanitarian organizations to research and innovation groups.

Article Topics

BankID (Norway)  |  banking  |  biometric data  |  biometric template  |  biometric template protection  |  biometrics  |  data protection  |  EAB  |  EAB 2025  |  homomorphic encryption  |  Mobai  |  Norway