The FIDO standard-compliant implementation could enable broader use of biometric devices for strong authentication.
When it comes to gaining secure access to online sites and services, the use of strong authentication mechanisms, including biometrics, is a good idea, though it's often difficult to implement. Security startup HYPR
is aiming to change that by making it easier to implement biometrics through the use of its biometric security software development kit (SDK).
"We have built a biometrics tokenization SDK that consists of the client and server code necessary to implement biometric authentication," George Avetisov, CEO of HYPR, told eWEEK
The SDK works can make use of any type of biometric technology available on a user's device, whether it's a fingerprint reader, a facial-recognition technology or otherwise, he said. The way that HYPR does the biometric authentication is intended to secure the authentication process, as well.
Other fingerprint biometrics technologies, for example, have tried to take the user's fingerprint and then match it against samples in a database. The HYPR approach is different, Avetisov said, because it takes a one-to-one matching approach that makes use of the existing hardware capabilities.
With the Apple iPhone and its Touch ID fingerprint reader technology, for example, the user's fingerprint is stored locally on the device.
"What the HYPR SDK allows third parties to do is use systems like Touch ID seamlessly for a one-to-one match," Avetisov said.
There is already a base API in the iPhone 6 to use the Touch ID sensor; however, that API doesn't provide authentication to a bank, for example, he said. Rather, the base API authentication is for the phone itself.
"When we say biometric tokenization, it's a system by which public key cryptography is added into the loop," Avetisov said.
So, for example, a bank can be running the HYPR server side code with the appropriate code also implemented in an app on the user's device. When the user goes to authenticate with the bank using the phone's fingerprint reader, he or she is not authenticating with the phone, Avetisov said. Rather, the user is signing a cryptographic challenge that the bank has sent to the phone app to sign, by way of the user's fingerprint.
"So what the user is doing is communicating to the server without actually sending the biometric information to the bank server," Avetisov said.
As such, the bank doesn't need to worry about the actual user fingerprint, and hackers can't compromise the fingerprint data because it is not being transmitted over the Internet. Additionally, Avetisov commented that the signature is time-based and can't be reused, further reducing the potential risk to users.
The HYPR technology supports FIDO (Fast Identity Online) standards for strong authentication, which were recently extended
to support Bluetooth and near-field communication technologies.
"We're big believers in FIDO," Avetisov said. "We actually have our own HYPR token, which is one of the first publicly available Bluetooth U2F (Universal Second Factor) tokens."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.