The Center for Data Innovation spoke with Fabian Eberle, chief operations officer, chief financial officer, and co-founder of Keyless, a London-based cybersecurity company that develops biometric recognition systems. Eberle discussed how Keyless allows individuals and organizations to stop using passwords and authenticate themselves using biometrics.
This interview has been edited for length and clarity.
Eline Chivot: What has led you to start Keyless, and what issues do you hope to address?
Fabian Eberle: How we prove who we are online is fundamentally broken, and is the primary cause of security and privacy threats threatening the individual, organizations and businesses. We wanted to develop a solution that would address this issue at its core—an authentication solution that eradicates the chance of human error by replacing authentication secrets with something the user is (biometrics) rather than something they know or have. As such, we set out on a mission to enable anyone to access any digital service from any device, while keeping personal data safe, private, and under the user’s control.
Chivot: How does Keyless’ technology work to ensure security for their customers?
Eberle: Keyless uniquely combines privacy-enhancing technologies with multi-modal biometrics, and machine learning to seamlessly authenticate users via their biometrics with zero risk to their privacy, all with just one look into the front-facing camera of any device, independent of and without trusting the underlying hardware or software platform.
Keyless has been designed with privacy and security in mind, and thus the solution is helping clients not only improve user experience, but also enhance security and privacy within their organizations and businesses.
First, Keyless eliminates vulnerable access points: Our main competitors store biometric data on a user’s device (via local authentication). This marries the user to one particular device, fragments the authentication experience, and poses major security and privacy risks if the device is compromised, lost, or stolen. Second, Keyless never jeopardizes a user’s biometrics: Instead of using local authentication, Keyless stores encrypted fragments of authentication data across its distributed cloud network. These fragments don’t ever represent personally identifiable information. To authenticate and identify users, Keyless uses secure multiparty computation—a privacy-enhancing cryptographic technique— without ever exposing raw biometric data. And third, Keyless’ solution is truly universal: Keyless is device, platform, and cloud-agnostic. This means it can be rolled out quickly to enhance remote security because a) the solution works with any device (meaning employees/users can use their own devices to login via Keyless); and b) Keyless seamlessly integrates with existing identity and access management systems (companies don’t need to change their infrastructure to be able to use Keyless).
Chivot: Can you give a few examples illustrating the benefits of Keyless’ recognition system for individuals and companies?
Eberle: In an era where personal information is no longer private and passwords are commonly reused, stolen, or cracked with various tools, the traditional scheme of protecting access to data and services by username and password has repeatedly proven to be inadequate.
Eighty percent of hacking-related breaches still involve compromised and weak credentials (usernames and passwords). Thirty-five percent of all breaches, regardless of the attack type, involved the use of stolen credentials. This leads to billions of dollars lost yearly on data breaches resulting from weak or stolen passwords.
This is why the world is going passwordless. Gartner claims that “by 2022, 60 percent of large and global enterprises, and 90 percent of midsize enterprises will implement passwordless methods.”
Keyless helps organizations go passwordless by eliminating the need for businesses to centrally store and manage credentials, biometric data, and any other sensitive information without compromising on convenience, security, or privacy.
Chivot: The use of facial recognition by the police and government agencies has received a mixed press. What is your perspective on the wider use of this technology?
Eberle: Biometrics have the potential to transform the way we interact with the web and digital services in the physical realm. However, like all other sensitive personal data, biometric information is unique to an individual, and therefore must be kept private and secure. We believe biometrics should only ever be processed, stored and used for identification or authentication with explicit permission from the user.
As for the wider use of facial recognition technology, we believe that privacy rights must come first. Governments, organizations and businesses hoping to leverage the benefits of biometrics must therefore look for solutions that adhere to modern privacy regulations and exceed customer expectations on privacy, security, and user experience.
Chivot: Biometric recognition is a fast-moving technology. Are there any areas where you find standards and practices that need to catch up, and are there any sectors where the technology would prove particularly useful?
Eberle: Biometric recognition technology is gaining widespread adoption as a means to improve security, convenience, and inclusion in society. But this steep adoption curve is raising legitimate concerns over how sensitive biometric data will be used and safeguarded. Protecting individuals’ privacy is a balancing act. However, privacy is the very enabler for making biometric authentication more powerful. What is lacking more than privacy, are “standards for privacy-enhancing technologies applied to biometrics.” With privacy-preserving biometrics, disclosure of biometric data becomes a non-issue. It further puts the users in control of their own data and makes it ubiquitously accessible, so users enroll once and henceforth use it anywhere. It offers much greater usability while enhancing security and protecting the user’s privacy all at the same time.