By Craig Guthrie, deputy editor
As financial institutions, governments and companies increasingly explore blockchain tech as a solution for secure transactions and service delivery, biometrics is emerging as perfect counterpart technology for authentication.
The trend is underlined by the announcement this week that biometric and cryptography solutions firm HYPR will partner with blockchain security firm BitGo in bringing biometric authentication to the space.
Planet Biometrics caught up with George Avetisov, CEO and co-founder, HYPR Corp, to discuss the new partnership and the future of blockchain, biometrics and secure digital identities.
Do you believe the worlds of biometric authentication and the blockchain/digital asset space will increasingly intersect?
We’re already seeing the worlds of biometric authentication and the blockchain/digital asset space connect, as both technologies are seeing rapid adoption in parallel. There is a very interesting and almost serendipitous reason for this.
Two of the key issues that have hindered adoption of digital assets are security and usability. Decentralized biometric authentication addresses both issues as it manages to drastically increase security while also improving usability.
As with any scenario of unauthorized access to private keys, the transfer of bitcoin is instant and permanent. To avoid a total loss, and with little oversight and no recourse for the victim of an attack, blockchain-based platforms are in dire need of bleeding-edge security solutions.
The total loss nature of blockchain-based transactions has also meant that the use of strong passwords and other security features have been implemented. But solutions like strong passwords and legacy 2-Factor Authentication remain a usability nightmare, especially on mobile devices. HYPR combines the security that digital assets require and markedly improves the user experience that is essential for greater adoption and trust.
Can you explain the concept behind a decentralized biometric security platform?
A decentralized biometric security platform is one where the storage and encryption of biometric credentials is distributed across all devices. This means that an enterprise wishing to replace or augment passwords with biometrics for authentication switches to a system where their users employ biometrics but the enterprise does not centrally store biometric data as they currently do with passwords.
A great example is in how law enforcement and border access use biometrics. An employee or suspect reaches an agency terminal with a sensor, and their biometric (often fingerprint or photo) is compared against a database of thousands or millions of others’ biometric signatures in a “one-to-many” matching scheme. Decentralized biometric authentication employs a “one-to-one” matching scheme where an employee or consumer matches a biometric against their pre-registered biometric on a trusted device they have in their possession.
A one-to-many matching scheme is risky since hackers are known to target an agency or enterprise that has a central repository of biometric credentials as they currently do passwords. These stockpiles of user data are a juicy target for hackers because the reward for obtaining them is tremendous as in the case of the U.S. Office of Personnel Management data breach. A one-to-one matching scheme disrupts the hacker attack model by forcing them to go from device to device to device for individual biometrics. This is an unscalable attack that requires them to be in possession of the device, physical biometric, and the user’s knowledge (e.g., PIN, a second factor, etc.).
In a HYPR-Secure architecture, biometrics for each user remain on-device, and are used to sign a cryptographic challenge sent from a server. By decentralizing the biometric data across millions of devices, encrypting it, and tokenizing their use at the time of account access, there are multiple benefits. The end-user is protected, the enterprise deploying the application has lower risk, the UX is superior to passwords, and users are protected against device loss through revocability as the enterprise simply disables the public keys used to respond to the authentication in the event of a lost device.
In theory, biometrics for authentication could remain a far worse solution than passwords if their storage were centralized and if there were no additional encryption employed. Today’s increased adoption of standards-based protocols such as those of the Fast Identity Online (FIDO) Alliance has created a growing ecosystem in which convenience is vastly improved and risk is reduced for enterprises.
Do you see biometrics playing a role in smart contracts?
Biometric authentication is going to play a key role in validating a user’s identity for smart contracts. As in the case of any other blockchain based scenario, smart contract execution needs both security and usability upgrades to be implemented at scale. We expect the use of a physical biometric and a decentralized authentication protocol will make a lasting impact on answering the most important question during such a transaction - “Am I who I say I am?”
Is HYPR targeting the enterprise market with collaborations like this?
HYPR and BitGo have received inquiries from customers on both sides about blockchain security solutions and biometrics as a means for improving access to blockchain-enabled services. This partnership was formed expressly to deliver a secure biometric blockchain experience to customers through Bitgo’s Multi-Signature technology and the HYPR biometric encryption suite. Use cases already discussed include decentralized identity, streamlined UX through HYPR-Secure biometric login, and the integration of BitGo’s multi-signature platform for HYPR customers utilizing biometrics for identity. This partnership is also powerful for accelerating adoption of specifications like those put forth by the Fast Identity Online (FIDO) Alliance across the digital assets sector.
Are there any issues you feel aren’t getting enough coverage in the biometrics industry?
I think that the biometrics industry should focus more on security. Lots of people understand biometrics, but very few understand biometric security. There are many biometrics companies that do an excellent job of creating matching algorithms and authenticators but have a fundamentally flawed understanding of data security. Biometric technologies have been around for a long time, but never really went mainstream because the risk of a centralized repository of fingerprints or faces is too great of a risk to deploy at scale. To this day, we are surprised to see so many talented engineers continue to push for legacy systems that rely on the centralized one-to-many matching schemes, when the industry is clearly leaning the other way. For this reason we have launched the HYPR-Secure partner program and invite vendors to augment the security of their technologies through our platform. We look forward to seeing many more HYPR-Secure architectures across the biometrics industry in the years to come.