Biometric security vendor Solus has launched a selfie-based two factor authentication (2FA) system called Eyeprint (http://www.solusps.com/) which promises a low cost and 'hardware free' solution to the 2FA conundrum.
Actually, the Eyeprint solution isn't hardware free but it does take the 2FA mantra of something you know, something you have to the next level. You will already have a smartphone, and you most likely already have eyes, which just leaves you needing to know how to take a selfie and remember a PIN number. But just how secure is all this fancy eye scanning stuff, especially if it's taking place on your phone?
One of the main selling points of Eyeprint ID is undoubtedly the reduced cost to roll out compared to traditional 2FA schemes which require hardware dongles or tokens, and which it argues are much more likely to be lost than the user's smartphone. The fact that the smartphone is the vehicle for the Eyeprint itself is also being pushed as a big plus, because pretty much every user is familiar with the concept of 'taking a selfie' and the enrolment process is akin to that. "Remove additional costly hardware, improve accuracy and the reduced cost of maintaining support and user access" Solus states in a press release "and you might just have a viable two-factor biometric authentication." Of course, none of that helps answer the how secure question we already posed, so let's take a closer look at the technology.
Solus can be installed on both Android and iOS devices, as long as the user smartphone has a HD camera it would appear to be good to go. It works by capturing an image of the blood vessels on the eye. This resulting Eyeprint ID image, transformed into a template that records locations and image statistics and the original image deleted, identifies anything up to 400 unique interest points per eye. Solus claims that "the vessels or veins don't change with age, and can provide effective login and usage in all lighting conditions and even through glasses and contact lenses."
Extraneous 'chaff points' which are indistinguishable from the genuine interest points are added in order to obfuscate the template, and these also carry information which is used to enable key generation. Solus say that the equations used require information from at least 40 of these chaff points in order to properly resolve, and the result is a 512bit Eyeprint key that is "as secure as a 50 character complex password." It is this key that is passed to the host application, ensuring that the biometric data remains encrypted to the device. This is then used together with a scrambled Pin Pad for 2FA. Single Sign On is available for companies using Active Directories and LDAP solutions, and additional 2FA elements such as device tying and geo-location services are also provided.
SCMagazineUK.com queried Solus CEO Matthew Ainscow about the viability of using such imaging when medical conditions such as Wet Macular Degeneration, a condition that causes irregular additional blood vessel growth within the retina, would change the pattern of those recorded vessels and veins. "Unlike retina and iris scanning, the eye print is taken from the blood vessels on the white of the eye and does not scan the retina or iris" Ainscow told us, adding "these are in fact totally different technologies and this is why we refer to the process as an eyeprint, rather than a scan."
Andy Kemshall, co-founder and technical director at SecurEnvoy, warns that this form of biometric technology is "not mature or proven" but does see it as being "a clear indication of how the security authentication market is developing." That said, Kemshall also warns that there are still potential technical flaws in any type of camera based solution. "The biggest question being how would the app know the difference between a picture of you shown to the phones camera versus the real you?" he asks. Indeed, over the years there have been problems with iris and retinal recognition falling victim to image quality at both ends of the spectrum: poor quality can cause a failure in the initial enrollment process, while high quality images could be used to fool the scanner. While the evolution of high quality cameras in smartphones have solved the former, it's as yet unclear if Eyeprint ID will prove any more resilient against 'scanned image' attacks once security researchers start probing it in the labs.
One thing is for sure though, and that's the need for the kind of increased security that 2FA provides, without compromising time or convenience, is gaining momentum and focus for businesses because of the increasing number of data breaches over the last few years. "The key however is ensuring the right approach and technology to enable business grade 2FA is taken" Kemshall warns. The fact that, pretty much, we all carry smartphones with us is helping to break down the price barrier and technologies such as Eyeprint could help break down user resistance to complex security processes as well. As long as the security side of the equation stands up to real world exposure.
Kemshall worries that this might be the software behind the scanning application, for example. Others worry about how and where the biometric data is stored. However, there's also another problem when we start talking about replacing passwords with a biometric alternative; and it's the numbers game. Whether it's the number of fingers for printing, or eyeballs for scanning, they are very finite indeed. Passwords are not perfect by any means, but you can be creative and retain enough complexity to ensure there are secure and unique ones for all your logins. When you only have a couple of eyes to go around, if that biometric signature were to get compromised then everything protected by it gets weakened as a result.
Hans Zandbelt, senior technical architect at Ping Identity agrees, telling SCMagazineUK.com "As with any biometric technology, once breached or stolen it is difficult to revoke." Of course, Solus isn't talking about replacing passwords for everything, but instead is looking at the enterprise single sign on market where such a technology could just be what the optometrist ordered. Zandbelt considers it a clear indication of "the rise of the phone as a replacement for the hard token type of authentication, where the phone becomes the token" and concludes that this is a good thing as the security industry "needs to help develop secure personal, multi-factored and identity-based authentication as hackers grow ever more sophisticated in their methods."