How Keyless uses zero-knowledge proofs to protect your biometric data
7 May 2020

How Keyless uses zero-knowledge proofs to protect your biometric data

7 May 2020

To offer a truly secure authentication experience, we need to ensure your authentication data — biometric templates, passwords or private keys — is stored and verified by our network in a way that doesn't compromise on privacy.

In this post, we explain how Keyless leverages zero-knowledge proof (ZKP) cryptography to ensure that your private authentication data is kept secure at all times.

The combination of organizations struggling to protect their private databases against threats, with the unprecedented amount of personal information being collected and stored in these centralized honeypots, highlights the need for zero-trust solutions to better manage private data.

Zero-knowledge technology allows us to authenticate users, without needing to store private information on centralized databases.

By leveraging zero-knowledge proofs, it’s possible for a user to authenticate with Keyless, without our network ever learning anything about them that could jeopardize their privacy or security.

How do zero-knowledge proofs improve security?

Today, most authentication systems rely on secrets to verify users, whether that be passwords, PINS or biometric templates. To protect user accounts from fraud and criminal activity, these secrets need to remain secret.

One of the greatest challenges with online security today is that, in order to verify our identities when we login, companies and organizations need to store copies of our secrets, whether that be cleartext versions or hashes of them (hashes are one-way encrypted passwords that in theory cannot be reversed, however in reality cybercriminals have figured out ways to crack hashes).

Unfortunately, the issue with storing secrets is that methods used by cybercriminals are evolving to keep pace with even the most advanced encryption techniques, firewalls and security perimeters that aim to protect internal systems and databases.

Malicious actors can easily infiltrate systems to steal private information — including names, email addresses and passwords (hashed or not). This means that the information we share with organizations, whether willingly or unbeknowingly, ultimately leaves us exposed to security and privacy risks.

How do zero-knowledge proofs work?

Zero-knowledge proofs have the power to disrupt standard authentication processes by allowing a user to verify their identity without having to reveal their “secret” — whether that be a password, PIN or biometric samples.

With zero-knowledge proof technology, there is always a prover and a verifier.

  • The prover is the person that is attempting to prove to the verifier that they know or possess something — for example a secret, like a password.

  • The verifier is the person (or network) who needs to verify whether or not the prover truly does possess the secret.

What’s important to understand about zero-knowledge proofs is that the prover does not need to reveal anything about what they know, or have, in order to prove to the verifier that they know, or possess, something.

Here's an example of how zero-knowledge proofs are used to protect sensitive information

Imagine that you are the prover and that you’re in a maze with your friend, who is the verifier. Imagine that there is a circuit path within this maze with a door in the middle of it, and that this door can only be opened with a secret password.

You want to prove that you have this password to your friend, but you don’t want to share the password with them.

You and your friend decide to play a game to prove to your friend that you do in fact, have the password to open the door in the middle of the circuit.

The game goes like this:

While you enter the circuit path, your friend will wait just outside the entrance, so they don’t know which way you entered. Once you’ve gone into the circuit, your friend will come to the entrance point and they’ll call your phone.

To verify whether or not you have the password, your friend will instruct you to appear from either the right-hand path of the circuit or the left.

If you have the secret password, then you’ll be able to appear from the correct side of the circuit every time.

If you don’t have the password, although you may get lucky a few times, the likelihood of you being able to appear from the correct side of the circuit will exponentially reduce as the game goes on. So your friend tests you about fifty times.

The chance of you being on the correct side without actually knowing the password would be so small — 2ˆ-50.

If you appear from the correct side of the path each time, then, because the chances of you cheating is so low, the verifier can confidently conclude that you know the secret password.

If you don’t know the password, and you’re not able to appear from the side your friend instructs each time, then he can be quite sure that you didn’t know the password, and assume that you were cheating.

How Keyless uses zero-knowledge proof to secure your biometric data

With Keyless, the user is the “prover”, and the Keyless network is the “verifier”.

Rather than storing biometrics templates in cleartext, and using those stored samples to verify users, Keyless uses a biometric-based zero-knowledge process that allows us to verify a user’s identity without needing to see or learn anything about their biometric template.

What makes the platform zero-knowledge is that the Keyless network itself learns nothing about the user’s private information. Even if a malicious actor were to infiltrate our network, sensitive information about our users would remain secure and uncompromised, making Keyless compliant with data privacy regulations such as GDPR, even as these changes over time and across jurisdictions.

To make authentication with Keyless even more secure, we leverage the unique combination of your personal hardware devices and unique biometric templates to provide a multi-factor authentication (MFA) solution that is private by design. To cheat the network, someone would need to not only look similar to you, they’d also need to have access to your registered device, which could be either your enrolled phone or laptop.

Enabling secure zero-knowledge authentication with Keyless

At Keyless, we hope to transform the way that private information is managed by leveraging and building upon zero-knowledge principles to build an authentication platform that is private and secure by design.

Secure multi-party computation is another advanced cryptographic technique that allows the Keyless network to ensure that a user’s biometric data match the template provided at registration, without having access to the biometric templates or the authentication data.

By leveraging the power of both of these advanced cryptographic techniques, Keyless authentication software has the potential to put an end to personal data breaches altogether, since there are no centralized repositories of private data to steal from. The unique combination of these technologies allows us to guarantee that private user information is kept safe and secure at all times.

We believe that the need for privacy-preserving authentication solutions will continue to rise alongside our ever-growing dependence on smart technology. By transforming how personal information is stored and managed, we hope to protect both businesses and consumers from the risks of cybersecurity threats like identity theft and fraud, making the internet a far more secure place.

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.