Biometrics and passwords are converted into digital bits and, from that point on, equally usable by bad guys. Learn how HYPR's engineers made biometrics more secure.
On the surface, using biometric signatures (i.e., biological features that are exclusive to each individual) seems like a great idea. Good-bye passwords. A simple fingerprint or a selfie, and that's it. What's not to like? It's convenient and secure.
Part of the problem experts see with using biometrics for authentication is that, once a biometric signature is converted to a digital format, it's treated just like any other password — and therein lies the rub. Password databases are getting compromised daily. So, if there is no inherent benefit from something that costs more, why invest in the technology?
HYPR has the answer
I was recently contacted by a representative of HYPR Corporation. At first, I thought this was just another biometric company that did not have anything new to offer. That notion was quickly dispelled, and a conference call was arranged with George Avetisov, HYPR's cofounder and CEO, and Bojan Simic, HYPR's CTO.
The first thing the gentlemen talked about was how existing biometric solutions in this sector use insecure methods of verifying identities. "The main error that current biometric solutions make is centrally storing mass amounts of biometric template information," stated Simic. "This is hazardous because in the event of a breach, this compromises sensitive biometric data; and unlike passwords, changing biometric identities is not easy."
Avetisov then started talking about the "responsible use of a person's unique biometric signature." He first explained the premise they started with at HYPR. "One must assume the operating system layer is compromised, and also assume the cloud is unsafe. Therefore a biometric authentication protocol can only rely on storing user data in a trusted environment on the device, away from the operating system."
Next, the two talked about the innovation happening in the mobile-device security space. Cell phones and tablets now have fingerprint sensors and/or facial-recognition cameras. However, more importantly, these devices are designed to isolate the digitized biometric signature from the device's operating system by using a Trusted Execution Environment (TEE). Read this excerpt of the definition for TEE on Wikipedia:
"The TEE as an isolated execution environment is providing security features such as isolated execution, integrity of Trusted Applications along with confidentiality of their assets. In general terms, the TEE offers an execution space that provides a higher level of security than a rich mobile operating system and more functionality than a secure element."
HYPR Token fingerprint reader
Using a similar concept, the team at HYPR developed HYPR Token, a 3.7 mm Bluetooth- and NFC-enabled fingerprint reader that secures personal information and other sensitive data behind a biometric authentication gateway.
The simplest way to think about the HYPR Token is that it builds on the ubiquitous security fob and its six-digit LCD screen. "Instead of storing user templates on a centralized server, the HYPR architecture allows end-users to authenticate their actions without ever transmitting biometric data across cyberspace," explains Avetisov.
Besides eliminating the need to send the digitized biometric signature to an authentication server, it seemed that using the fingerprint reader would add another factor of authentication. "That is correct. Since the fingerprint data never leaves the HYPR Token, the user's fingerprint is authenticated to the user's token," said Simic. "Once the token verifies the user's fingerprint, it initiates a cryptographic signature. Since this cryptographic signature can only be initiated once the user's fingerprint is verified, reading the fingerprint is an additional authentication factor."
Besides the HYPR Token, the company offers two biometric-authentication implementations: one based on FIDO Alliance's open standard, and another using the company's patented Biometric Time-based One-time Password (TOTP) authentication protocol.
The slide below, taken from the HYPR white paper Biometric Authentication Suite (PDF), provides an overview of how the HYPR biometric cryptography engine and the HYPR Token interact using the TOTP architecture.
Use Token on any device on any platform
Simic noted their goal was to develop a sector-agnostic technology. He added, "We enable third parties, individual application developers to large-scale organizations, allowing them to implement biometric authentication with scalability."
Avetisov mentioned they noticed enterprise organizations have been especially slow to adopt biometric authentication. "Besides cost, the main flaw that existing biometric security providers have is centrally storing mass amounts of user template information to perform server-side validation. HYPR's biometric encryption inverts the archaic method of authentication from a one-to-many match into a one-to-one validation, allowing HYPR to be added to an already existing enterprise infrastructure, as a BYOD security solution or as a standalone security token."
- LastPass hack reinforces importance of using multi-factor authentication (ZDNet)
- Microsoft to add 'enterprise grade' biometric security to Windows 10 (ZDNet)
- Steps to success in biometric security app design (ZDNet)
- Apple Touch ID design constraint raises authentication red flags
- Is it time to replace passwords with passthoughts?
Note: TechRepublic and ZDNet are CBS Interactive properties.