Can Eyeprint 'selfies' replace hardware tokens?

Eyeprints - of veins in the white, not the iris of an eye - captured via selfie are another biometric option for 2-factor security, but concerns about the implications of compromise remain.

Can Eyeprint 'selfies' replace hardware tokens?
Can Eyeprint 'selfies' replace hardware tokens?

Biometric security vendor Solus has launched a selfie-based two factor authentication (2FA) system called Eyeprint (http://www.solusps.com/) which promises a low cost and 'hardware free' solution to the 2FA conundrum.

Actually, the Eyeprint solution isn't hardware free but it does take the 2FA mantra of something you know, something you have to the next level. You will already have a smartphone, and you most likely already have eyes, which just leaves you needing to know how to take a selfie and remember a PIN number. But just how secure is all this fancy eye scanning stuff, especially if it's taking place on your phone?

One of the main selling points of Eyeprint ID is undoubtedly the reduced cost to roll out compared to traditional 2FA schemes which require hardware dongles or tokens, and which it argues are much more likely to be lost than the user's smartphone. The fact that the smartphone is the vehicle for the Eyeprint itself is also being pushed as a big plus, because pretty much every user is familiar with the concept of 'taking a selfie' and the enrolment process is akin to that. "Remove additional costly hardware, improve accuracy and the reduced cost of maintaining support and user access" Solus states in a press release "and you might just have a viable two-factor biometric authentication." Of course, none of that helps answer the how secure question we already posed, so let's take a closer look at the technology.

Solus can be installed on both Android and iOS devices, as long as the user smartphone has a HD camera it would appear to be good to go. It works by capturing an image of the blood vessels on the eye. This resulting Eyeprint ID image, transformed into a template that records locations and image statistics and the original image deleted, identifies anything up to 400 unique interest points per eye. Solus claims that "the vessels or veins don't change with age, and can provide effective login and usage in all lighting conditions and even through glasses and contact lenses."

Extraneous 'chaff points' which are indistinguishable from the genuine interest points are added in order to obfuscate the template, and these also carry information which is used to enable key generation. Solus say that the equations used require information from at least 40 of these chaff points in order to properly resolve, and the result is a 512bit Eyeprint key that is "as secure as a 50 character complex password." It is this key that is passed to the host application, ensuring that the biometric data remains encrypted to the device. This is then used together with a scrambled Pin Pad for 2FA. Single Sign On is available for companies using Active Directories and LDAP solutions, and additional 2FA elements such as device tying and geo-location services are also provided.

SCMagazineUK.com queried Solus CEO Matthew Ainscow about the viability of using such imaging when medical conditions such as Wet Macular Degeneration, a condition that causes irregular additional blood vessel growth within the retina, would change the pattern of those recorded vessels and veins. "Unlike retina and iris scanning, the eye print is taken from the blood vessels on the white of the eye and does not scan the retina or iris" Ainscow told us, adding "these are in fact totally different technologies and this is why we refer to the process as an eyeprint, rather than a scan."

Page 1 of 2