Transforming biometric security: ZeroBiometrics ditches templates for good

An innovation in biometrics and cryptography that delivers secure and privacy-preserving authentication without storing any sensitive data is ready for the market, ZeroBiometrics Head of Product Technology and Commercial Strategy Dave Burnett said in a video interview with Biometric Update. Now the market just needs to catch up with the technology.

ZeroFace combines cryptography and biometrics to enable zero-knowledge proofs, which is novel because “our faces change, and keys are supposed to stay the same,” he notes. Burnett uses the example of shaving off a beard when explaining how a normal change to facial appearance would result in keys derived from face biometrics not matching.

In ZeroBiometrics’ system, once biometric data is captured, it goes through “multiple irreversible transformations” on its way to key creation. The keys are ephemeral, and exist only when the user’s face is present, marking a clear distinction in the security of those keys.

Roughly one in four people who hear ZeroBiometrics’ pitch of creating stable and consistent keys with biometrics, including highly knowledgeable professionals, react by denying that such a thing is possible, Burnett says. This is one of the reasons the company patented its core technology.

Burnett also explained the different between ZeroFace and other approaches to public key infrastructure (PKI). Prominent among them is the FIDO Alliance, but Burnett notes that ZeroFace can be used in FIDO implementations.

Avoiding a security burden

PKI use takes on a security burden over and above the use of biometrics, Burnett argues. Biometrics are sensitive personal information, and while storage methods can be more or less secure, they all involve the burden of protecting that information. Private cryptographic keys likewise must be stored somewhere, in traditional PKI, and Burnett suggests that when not stored on the secure element of a personal device, this also creates risk.

Performing authentication without storing either the user’s biometrics or keys avoids that risk, according to Burnett.

“So you get all of the benefit of a PKI architecture – it doesn’t have to be FIDO, but it could be FIDO – without that security burden,” he says.

So what is saved, and how does it authenticate the user?

ZeroBiometrics saves a zero-knowledge proof (ZKP) that specifies where on the particular user’s face to find the data that should be used to generate the key. The company calls this ZKP a “ZeroMap.” If a different person’s ZeroMap is used, or a different face is presented, the resulting hash will not match, and the authentication attempt will rightly be rejected.

The ZeroMap is not sensitive, Burnett says, which means it can be ported across devices.

Using biometrics without storing them

ZeroBiometrics offers a holistic solution with security and biometrics combined, not biometric capabilities with security left up to implementation, as Burnett says is normal in the industry.

The ZeroMap informs the ZeroFace algorithm how to generate the right SHA-256 hash which is then transformed into a cryptographic key, as part of a larger stack. This stack also includes security measures like injection and presentation attack detection.

ZeroBiometrics primarily designed the system for use on mobile devices, but it also supports server-side deployments.

“These pieces can be put in different locations to achieve different service goals that a customer might have,” Burnett explains.

Businesses that avoid storing biometrics or private keys not only avoid having to protect a honeypot of sensitive data, but also the legal and regulatory responsibilities that that entails, so “they don’t have to be responsive to a subpoena as well,” according to Burnett.

Regulators are concerned with the handling of sensitive information, not public keys, and while Burnett says discussion to help data protection authorities understand how ZeroBiometrics works are ongoing, the technology is ultimately well-positioned for approval to even stringent regulations, Burnett suggests. In the meantime, data protection and privacy regulations are continuing to motivate businesses to avoid storing biometric honeypots.

The advances being made around protecting biometric templates remain important, Burnett says, but avoiding the storage of the templates in the first place is a fundamentally different approach.

Burnett says the process is just as fast for users as the biometric authentication experiences they are used to, and is flexible enough to be used in 1:N scenarios. The ZeroSearch capability involves storing the ZeroMap on the server, along with the public key, and performing an irreversible transformation of the submitted biometric sample on the user’s device. That data is then uploaded to the server, where it goes through a second transformation that extracts the data the ZeroMap data, which is what gets compared to find a rank-ordered subset of keys to match against.

This works with millions of faces, Burnett says.

A different algorithm is used for server-side searches, “so that server-side search cannot generate the same keys that would be generated by your device.” That means that in the event of a backend compromise or a malicious insider stealing all of the stored data on the server, it could not be used on a local device, as it would not generate the same key-set.

“It’s one of dozens of ways that we’ve engineered security deep into the heart of this and thought proactively about a lot of the very common threat vectors to data loss and data compromise,” Burnett says.

Each customer of ZeroBiometrics gets ZeroMaps encrypted with a different AES key, so even in theory, biometric data stolen from one app cannot be used in another.

He also explained how the digitally signed nonce provided by ZeroBiometrics can be loaded with any kind of information that benefits the use case. Assuming that does not include personally identifiable information (PII), it can be implemented on a decentralized system like a blockchain, or in a centralized architecture.

Due to the portability of the ZeroMap, ZeroBiometrics has also supported account recovery from its beginning. More recently, the company has developed an extension of its ZeroSearch capability to enable fully biometric account recovery.

Burnett referred to testing ZeroBiometrics has undergone through third parties to validate its security and accuracy, including with configurations of up to one in a billion.

Ultimately, Burnett says, “we as an industry have to move away from storing sensitive data.” ZeroBiometrics believes it has the way to make that work in a wide range of scenarios, while still delivering the benefits of biometrics.

This is a sponsored post. For information about advertising, please contact us.

Watch The Interview
Read on BiometricUpdate.com