In the digital era, most of our daily transactions happen online as protections like Strong Customer Authentication (SCA) have made it easier for users to confirm their identities through hardware tokens, fingerprints, passwords, etc.
However, this level of convenience comes with a significant amount of risk. For example, a Revolut customer recently lost over £56,000 via a technique known as shoulder surfing, in which criminals watch a user entering their device passcode before stealing the device and breaking into their account using correct user credentials.
Subsequently, biometric security measures like fingerprints and facial recognition are becoming overwhelmingly popular. They're considered more secure than credentials because it’s naturally very difficult to steal someone’s unique biological identifiers. Right?
Not exactly. Biometric authentication still has a number of security vulnerabilities. Did you know criminals will disable biometric authentication systems by turning off Face ID on an unlocked device? Biometrics can also lead to usability issues. Recovering accounts using your biometrics can be difficult if your user data is not properly processed and stored. What’s more, depending on how user data is stored, organizations using biometric authentication can run into data protection-related privacy issues.
This is where Keyless can help. We've developed a brand-new biometric technology that combines the strengths of the two existing approaches, and in doing so have created the first new biometric category in over a decade.
Device-native, or ‘local’ biometrics is the first of the two existing biometric authentication methods. The technology behind Apple’s Face ID, device-native biometrics offer strong privacy, as a user’s data never leaves their device.
But device-native biometrics come with usability and interoperability issues. If your iPhone goes missing, so does any biometric data stored on it. To make matters worse: users cannot hop from an iPhone to a Samsung tablet using their biometrics.
Server-side biometric systems, also called 'centralized' systems, store and process biometric data on remote cloud servers. When users enroll, their device uploads their biometric template to the cloud. When they take a selfie to authenticate, they will generate a new template, which is compared to the one stored on the cloud. This offers user convenience and cross-device authentication, which contrasts with the device-based approach.
With centralized systems, if you lose your device, your biometric information can easily be retrieved from the cloud - your identity is not lost with the phone. Centralized biometrics also allow cross-device authentication, permitting users to enroll on one device (eg. Android) and authenticate on another (eg. Apple).
But it’s not all roses. Centralized servers are a prime target for cybercriminals. If attackers can breach a server, they can gain access to a huge amount of biometric templates. There are also a host of privacy concerns depending on how the data is stored on the cloud server. For example, many centralized systems are not GDPR compliant.
At Keyless we have developed a third way. Combining the best of both worlds, we offer the privacy of local biometrics with the usability of the centralized system. Known as Zero-Knowledge BiometricsTM, or ZKB for short, it is the only biometric authentication system that does not store biometric data anywhere —neither on the device nor the cloud.
To describe how this is achieved, we must first clarify what does and does not constitute biometric data. In the context of facial recognition, biometric data includes the selfie itself, any biometric features extracted from the selfie, and anything that can link these features back to the user. On the other hand, any piece of data that cannot be linked back to the user is not biometric data.
The Zero-Knowledge Biometrics system adds the privacy offered by local biometrics to the usability and flexibility of centralized biometrics. Data leaves the device and is sent to the Keyless Cloud Service. However, unlike other centralized systems, this data is transformed into encrypted data using the Secure Multi-Party Computation (SMPC) protocol before leaving the device. This ensures it no longer qualifies as biometric data and fully preserves the privacy of the biometric data within. The Keyless Cloud Service cannot read the transformed data nor extract any biometric information from it.
Zero-Knowledge Biometrics comes with a host of benefits.
ZKB offers the usability and interoperability benefits of server-side biometrics. Any device with a front-facing camera can be used to create a biometric template. This is because we put human identifiers at the center of authentication, rather than the device, ensuring a consistent user experience across operating systems. ZKB also supports Multi-Factor Authentication for PSD2 and SCA compliance.
Because we transform data before it leaves the device, we offer the same privacy benefits as local biometrics. What’s more, our use of ZKB has meant that we are the world's first biometrics vendor to achieve FIDO and FIDO2 certification. Keyless also adheres to GDPR and CCPA standards.
Keyless complies with internationally recognized quality management and information security standards, including ISO 9001 and ISO 27001.
In summary, local biometrics favor privacy and centralized biometrics favor usability and flexibility. The first is better at protecting data, whereas the second prioritizes user experience.
Keyless leverages the strengths of both device-based and server-side biometrics to deliver a facial biometrics solution that favors privacy and usability - an industry first.
Request your demo today to learn more about the Keyless difference and its advantages over existing biometric authentication systems.