BT/ Google introduces passkey sign-in with a farewell note to passwords

Paradigm

Follow

Published in

Paradigm

19 min readMay 8, 2023

--

Biometrics biweekly vol. 63, 24th April — 8th May

TL;DR

Google users can opt to secure their accounts using passkeys rather than passwords, according to a blog post on the company’s website. Passkeys allow users to sign in using fingerprint or face biometrics, or through a device screen lock, such as a local PIN
Tinder debuts video selfie biometrics for security based on FaceTec’s 3D biometric liveness detection software for face authentication
Major 3D liveness revenue, and customer gains for FaceTec in the first quarter of 2023
Coinbase sued under Biometric Information Privacy Act
ChatGPT talks to consumers using voice while OpenAI faces European regulators
First phones with Fingerprint Cards under-display biometrics revealed
Alcatraz AI, Precise expand biometric access control reach
Idex gets production order of fingerprint sensors for biometric access control cards
vAIsual introduces consented biometric video series to dataset shop for AI training
Tool for assessing biometric samples in various modalities launched by Biometix
Innovatrics tops NIST leaderboard for single-iris biometric accuracy
NIST publishes a draft roadmap for identity and access management, seeks input
iProov and Authsignal partner in fighting fraud
Clear accelerates growth in travel; expands into health, social media
FIDO Alliance paper positions protocol for EU Digital Identity Wallet authentications
BIO-key expands IAM market footprint in Africa with two new partnerships
Australia’s DoD issues tender for multi-biometric capture device
Address and ID verification proposed for World Bank social welfare program in Nigeria
Nepalese prime minister stirs controversy after ID verification assigned to his company
Gabon hopes to deliver on its lingering national ID card promise this year
Ghana plans mass block of SIM cards not registered with biometrics
Morocco bringing some courts online with national digital ID
Colombian digital IDs, and biometrics enrollment now available in the US
Controversy dogs biometric data processing for Ireland’s public service card function
Rwanda initiates legislative digital ID amendment to include stateless persons, children
Italy considers new biometric surveillance pilots amidst opposition’s concerns
Pakistan province plans $5.5M tender for security cameras with facial recognition, ANPR
Token raises $30M to fuel growth and development of biometric authentication wearable
Startup Stack Identity gets $4M to shine a light on shadow access
IDPartner corrals a posse to close a $3.1 million seed round
Study finds factors behind a society’s acceptance of biometric surveillance
Biometric industry events. And more!

Biometrics Market

The Biometric system market size is projected to grow from USD 36.6 billion in 2020 to USD 68.6 billion by 2025; it is estimated to grow at a CAGR of 13.4% during the forecast period. The increasing use of biometrics in consumer electronic devices for authentication and identification purposes, the growing need for surveillance and security with the heightened threat of terrorist attacks, and the surging adoption of biometric technology in automotive applications are the major factors propelling the growth of the biometric system market.

Biometric Research & Development

Google introduces passkey sign-in with farewell note to passwords

Google users can opt to secure their accounts using passkeys rather than passwords, according to a blog post on the company’s website. Passkeys allow users to sign in using fingerprint or face biometrics, or through a device screen lock, such as a local PIN.

In keeping with an industry-wide trend toward adopting passkeys, the company is promoting passkeys as a faster, simpler and more secure alternative to existing sign-in options, including multi-factor authentication.

“Using passwords puts a lot of responsibility on users,” write the authors of the post, Arnar Birgisson and Diana Smetters. “Choosing strong passwords and remembering them across various accounts can be hard. In addition, even the most savvy users are often misled into giving them up during phishing attempts.”

Since a passkey exists only on a particular device, when a user signs in with one, it verifies that they are in possession of the device and have the ability to unlock it. This reduces the risk of a password being accessed by bad actors via phishing or privacy breaches. Any shared biometric data unlocks the passkey locally and never goes beyond the device.

The sign-in system works through communication between a cryptographic private key and a corresponding public one, which is uploaded to Google when someone generates a passkey on a device. Unlocking the device provides a unique signature, which is only sharable with Google, to the public key, enabling access to one’s account. Since the sign-in is activated through the private key stored on the device, it means biometric data does not go to Google.

Google’s post specifies that passkeys “are built on the protocols and standards Google helped create in the FIDO Alliance and W3C WebAuthn working group. This means passkey support works across all platforms and browsers that adopt these standards. You can store the passkeys for your Google Account on any compatible device or service.”

So long passwords, thanks for all the phish

Passkeys are a more convenient and safer alternative to passwords. They work on all major platforms and browsers, and…

security.googleblog.com

The biggest names in tech have all pledged to expand support for passkeys. In tandem with corporate preference, consumers have also been warming up to passkeys as an alternative to passwords, according to new research from the FIDO Alliance.

Key findings from a survey of roughly 1,000 U.S. citizens, which the organization is releasing on Thursday to mark World Password Day, show that 57 percent of respondents expressed interest in using passkeys. While passwords are still the most common authentication method, preference for biometric options is growing.

Also of note was the declining reputation of passwords. The survey showed that 60 percent of consumers abandoned purchases over a forgotten password, and that 90 percent had to reset or recover a password.

In addition to Google, FIDO Alliance senior member companies include Apple, Amazon, Visa, Microsoft, Intel and American Express. The organization’s stated mission is to “help reduce the world’s over-reliance on passwords.”

Tinder debuts video selfie biometrics for security

“Send me a video on Tinder” might sound like flirtation, but according to a news release from the social media dating app, it is about to become a security requirement. Subscribers who want to use the app’s photo verification tool — to, as Tinder puts it, “choose photo verified cuties only” — will have to take a video selfie and respond to some prompts.

Tinder’s existing selfie photo verification is based on FaceTec’s 3D biometric liveness detection software for face authentication.

Dating apps such as Tinder have faced concerns about vulnerability to fraud, as well as access by underage users. Last year, a researcher at Stanford University used a generative adversarial network to trick the app’s biometric verification software with an altered digital photo.

“Tinder daters consistently tell us that photo verification is one of their most valued safety features,” said Rory Kozoll, Tinder’s senior vice president of product integrity, adding that the company is prioritizing safe interactions for its subscribers. “The tool provides one more way to help members better assess the authenticity of their match.”

The app will now prompt all new members to complete the photo verification process when they create a profile.

ChatGPT talks to consumers using voice while OpenAI faces European regulators

ChatGPT is still filling headlines by finding new uses, including voice chat. Its maker, OpenAI, however, faces more government scrutiny that could lead to bans, fines and requests and even deletion of data and models, particularly as biometric data and age verification concerns rise to the fore.

Coinbase sued under Biometric Information Privacy Act

It was a matter of when not if. A cryptocurrency company has been accused of violating the U.S. state of Illinois’ biometric privacy law.

A proposed class action has been filed in federal district court alleging that Coinbase has not followed the rules when it comes to collecting and using the biometric data of Illinois residents.

The case (3:23-cv-02123), filed by Michael Massel, alleges that Coinbase required biometric scans of its customers without getting their express consent or saying how their data would be managed.

According to the lawsuit, Massel, opened an account with Coinbase in 2018. Enrollment required sending an image of a state ID and a selfie that becomes a template.

The company reportedly also requires a fingerprint scan as part of creating a wallet.

Biometric data is collected every time a subscriber logs in using Coinbase’s mobile app, court documents allege. The language in the filing strongly suggests, however, that fingerprint authentication is carried out on the user’s device, meaning that Coinbase itself does not collect fingerprint biometric data.

A number of third-party companies reportedly would see at least some biometric data. Those companies can be found in Coinbase’s privacy disclosure and include Jumio, Onfido, SolarisBank and Sift Science. Jumio and Onfido each provide selfie biometrics as part of KYC checks for user onboarding.

The company also is defending itself against an insider-trading lawsuit alleging that executives including CEO Brian Armstrong used insider information around the time Coinbase went public.

Alcatraz AI, Precise expand biometric access control reach

California-based biometric autonomous access control solutions provider Alcatraz AI is integrating its technology with Canadian counterpart Genetec.

With this new partnership, Alcatraz AI’s flagship authentication product the Rock will work with Genetec’s “open-platform” access control system Synergis that can connect with a growing number of third-party access control devices. The aim of the face biometrics integration is to increase security while lowering costs for organizations, reducing complexity and providing business insights, the two companies said in a release.

The move comes a month and a half after Alcatraz AI and Genetec each integrated their access control technologies with Swedish Axis Communications. Genetec has also announced its integration with Precise Biometrics, which has cast its eyes on the U.S. biometrics market.

The new collaboration between the duo will include providing video at the door via an Open Network Video Interface Forum (ONVIF) camera that can be incorporated into the Genetec video management system. This allows for live tailgating detection alerts coupled with door-level video, automated enrollment for all authorized users without storing any personally identifiable information, and enterprise-grade networking and security, with end-to-end encryption and customizable hosting options.

“Our customers and global network of partners can now take advantage of key Alcatraz AI features — like tailgate alerts and door-level video — directly in the Genetec platform to deliver operational insights and strengthen security,” says Francois Brouillet, commercial manager of access control for Genetec. “Together, we are reducing the administrative burden of access control systems by simplifying enrollment and system management, protecting privacy, and ultimately optimizing the overall experience with frictionless access and actionable data.”

Precise Biometrics’ visitor management system EastCoast Visits has been selected by over a dozen customers for deployment or continued use.

New contracts have been signed, or existing ones extended, with Arcona, Amadeus Scandinavia, Kanthal, Malungs elnät (via Granitor), BabyBjörn, GroupM, Centralhuset Uppsala (Bonnier), Exportkreditnämnden, Loomis Sverige, Familjebostäder, IPCO Sweden AB, Länsförsäkringar Stockholm, Telia Jönköping, AFRY Malmö, GPV and The Royal Opera House, according to an announcement from Precise.

The company has also closed deals with garden supply retailer Blomsterlandet and industrial machinery supplier Tollo Linear through partner Workflow Nordic. Publisher Stiftelsen Natur och Kultur is implementing EastCoast via Precise partner IT-Total, and a contract with IT service provider Nova Consulting Group has been signed through reseller Colliers.

Idex gets production order of fingerprint sensors for biometric access control cards

Norway-based cybersecurity company Pone Biometrics has placed a production order for fingerprint sensor modules from Idex Biometrics to build into biometric smart cards.

The fingerprint sensor modules will be integrated with Pone’s open-API smart device OFFPAD, which the company says can be used with FIDO2-certified IAM platforms. Pone says the product is intended for high-performance user authentication for logical access in a highly sensitive enterprise, public sector, healthcare and defense sector deployments.

OFFPAD is described on Pone’s website as an offline personal authentication device that fits in a physical wallet. It is built with a secure element from Infineon and Idex’ IDX3200 fingerprint sensor.

“Pone Biometrics is offering an innovative solution to address a significant and immediate market need: highly secure authentication that is easy to use and to deploy,” explains Idex Biometrics CCO Catharina Eklof. “As more than 70 percent of reported security breaches originate through disparate endpoints, such as mobile devices and Wi-Fi-enabled laptops, the OFFPAD solution is a game-changer for organizations that want to avoid the vulnerabilities and burdens of passwords and PINs. Close collaboration with innovative technology front-runners like Pone Biometrics enables IDEX Biometrics to take the lead in use cases for biometric-based access solutions. In addition to securing payments, biometric cards are increasingly becoming a standard approach to digital authentication.”

First phones with Fingerprint Cards under-display biometrics revealed

Native fingerprint biometrics continue to be a staple feature in most Android smartphones, with Fingerprint Cards reaching implementation in 100 different models since March of last year, and 700 overall. Among the most recent integrations of Fingerprint Cards sensors is the inclusion of the company’s FPC1632 under-display sensor in the Xaiomi Redmi K60, the first phone to utilize Fingerprint Cards’ under-display technology.

The FPC1632 sensor was unveiled last July, and the announcement strongly indicates that Xaiomi is the Asian smartphone manufacturer that placed the volume order for under-display sensors announced at the beginning of the year.

“Our fantastic journey continues, and we are committed to driving growth by delivering secure and convenient identification and authentication, simplifying the everyday lives for our global user base,” comments Haiyuan Bu, Fingerprints’ President of Mobile, PC and Access China. “Furthermore, we have witnessed accelerated demand for biometrics in smartphones over recent years. To see Fingerprints’ sensors now integrated into 700 different smartphone models is a phenomenal achievement. It’s proof that our products are trusted globally and are paving the way for biometrics’ use across a range of other industries and use cases, improving the ease and security of our daily lives.”

vAIsual introduces consented biometric video series to dataset shop for AI training

U.S.-based training data provider vAIsual has launched a new biometric video dataset series to supply fully consented material to fuel the development of machine learning algorithms.

The new datasets are made up of videos with 4k resolution of full-body biometrics and postures from models who have signed releases for their biometric data.

Non-compliance with existing privacy and copyright laws are the AI industry’s greatest challenge, according to vAIsual CEO, Michael Osterrieder.

“Cleanwashing has (become) the norm amongst generative AI companies who are trying to overcome the challenges of training their AI models on scraped data. We are the only company who can provide full dataset disclosure that demonstrates 100 percent legal compliance,” says Osterrieder in the announcement.

The videos have been added to vAIsual’s Dataset Shop, which up until now has offered only still images for training facial recognition and other AI algorithms.

“Adding video opens up a whole range of options for AI teams,” comments Osterrieder. “To begin with, the video itself captures thousands of individual frames that can be extracted into separate images. These stills provide a huge amount of variations in expression and movement.”

The datasets can be used for training generative and diagnostic algorithms, in addition to biometric ones, the company notes in the announcement. The biometric image datasets are designed specifically to be added to workflows for AI training by engineers.

Tool for assessing biometric samples in various modalities launched by Biometix

Biometix has launched a new tool for assessing the quality of biometric data from the four most common physical modalities in various ways.

The new Biometric Quality Assessment Tool (BQAT) provides analysis of fingerprint, face, iris, and voice biometrics samples.

Fingerprint analysis is based on NIST and NFIQ2 quality features, and links image quality to recognition performance, whether with optical or ink 500 PPI samples. Face image assessment analyzes criteria like head pose, smile detection, inter-eye distance, and open or closed eyes. Iris analysis refers to ISO metrics and various quality attributes, and speech samples are examined for characteristics like naturalness, coloration and noisiness.

“BQAT (Biometric Quality Assessment Tool) is a framework to generate and analyze quality metrics of biometric samples to meet international standards as well as support for customized metrics,” says Biometix CEO Ted Dunstone wrote in a LinkedIn post. “BQAT can, for instance, take an input directory of biometric data and produce both the raw quality information as well as an analysis report and outlier detection.”

Biometix says installation is simple through a docker image, or a local build with a git clone, and BQAT is designed for easy integration with existing systems. The tool’s source code is also publicly available to allow for forking.

Dunstone says further announcements about the application of BQAT are coming soon.

Ted Dunstone on LinkedIn: Biometric Quality Assessment Tool (BQAT) - Biometix

We are excited to launch our open-source framework for the quality assessment of biometric samples. BQAT (Biometric…

www.linkedin.com

FIDO Alliance paper positions protocol for EU Digital Identity Wallet authentications

The EU Digital Identity Wallet represents a significant growth opportunity for FIDO authentication, according to a new white paper from the FIDO Alliance.

The 45-page white paper on ‘Using FIDO for the EUDI Wallet’ was written by IDnow Senior Architect Sebastian Elfors from the proceedings of the FIDO subgroup on the EUDI Wallet to help government agencies weigh the use of FIDO for the EUDI Wallet under the eIDAS2 regulation.

FIDO is an approved authentication standard for digital ID schemes at the ‘High’ or ‘Substantial’ Level of Assurance under eIDAS in the Czech Republic and Norway, proving its compliance with the system, according to the paper. This, the paper states, shows the protocol’s conformance to the regulation.

The updated digital identity regulation and ongoing development of the EUDI Wallet is intended to enable authentication for many more online transactions.

The technically-detailed paper describes how eIDAS has evolved and the place the EUDI Wallet has in it, and then the architecture of the wallet. The EUDI pilots are then reviewed, before a pair of sections on how and why to use FIDO for transactions with the EUDI Wallet.

Two types of configurations are specified in the Architecture Reference Framework. Type 1 configuration of the EUDI Wallet is intended for use cases in which PID attestations are used for cross-border identification to LoA High. Type 2 configuration is intended to support electronic attribute attestations outside of Type 1’s scope, potentially such as education credentials or health information.

Person Identification Data (PID) stored in the EUDI Wallet must be in the ISO mDL or W3C Verifiable Credential format, with OpenID for Verifiable Credentials Issuance as the enrollment protocol. This takes FIDO out of scope for Type 1 configurations.

In Type 2 configurations, FIDO is well-suited as an authentication standard for the EUDI Wallet, the paper argues. Potential use cases in this type of implementation could include authentication to payment service providers, cloud wallets, and OpenID Connect, for access to remote Qualified Signature Creation Devices, online mDL verification, and issuance from an identity verification provider.

Ultimately, eIDAS2 represents an opportunity for expanded use cases for FIDO authentication, according to the white paper.

Innovatrics tops NIST leaderboard for single-iris biometric accuracy

An iris identification algorithm developed by Innovatrics has been ranked the most accurate for single-eye identification in the Iris Exchange (IREX) conducted by U.S. National Institute of Standards and Technology.

The same biometric algorithm slightly trails two algorithms from a single developer in two-eye identification in the April 10 update of IREX 10.

Described by the company as a “real-world application algorithm,” the technology can be embedded in smart devices for iris recognition in many scenarios. Use cases include high-security applications such as visa applications, border control, national ID programs and access control and on-device uses such as e-gates or kiosks.

According to a company announcement, the algorithm’s latest version, refined from previous approaches, showed strong results in speed, as well as accuracy. With a small template size and fast template creation, it outperforms algorithms offered by larger competitors, Innovatrics says.

Matus Kapusta, the ABIS business unit director at Innovatrics, says: “Together with this IREX result, we already have a leading fingerprint matching algorithm in NIST MINEX and also offer NIST-benchmarked recognition as one of only a handful ABIS in the world.”

Innovatrics will host a webinar to demonstrate its iris liveness technology MagnifEye Liveness on May 4th.

During the webinar, Innovatrics says it will demonstrate how organizations can use its different liveness detection technologies in various real-life situations. Attendees will also get a short overview of how liveness detection technology has evolved over the past few years.