Keyless is building a privacy-first biometric authentication and identity management platform that eliminates the need for businesses to centrally store and manage passwords, sensitive cryptographic keys, and other authentication data, without compromising on convenience and privacy for their users.
The Keyless protocol implements secure biometric authentication using state-of-the-art secure multi-party computation techniques. The protocol involves the user’s mobile device, which interacts with a set of nodes in the Keyless network. Each node stores cryptographically protected shares of the user’s biometric data and of the user’s authentication key. These shares enable users to perform authentication without storing any biometric template on their devices, and to generate authentication tokens on demand.
The Keyless protocol is composed of two phases: enrollment, and authentication.
During the enrollment phase, users register themselves and their mobile device with the Keyless network. This includes storing an encrypted authentication key and one-way processed biometric data in a distributed form on Keyless nodes using threshold secret sharing.
During authentication, Keyless first authenticates the user’s device, and then computes and sends a one-way transformed biometric sample. The sample is transformed locally on the user’s device, and is matched against the one-way transformed template sent to the Keyless nodes during enrollment. Because none of the nodes is able to decrypt the biometric template or the authentication sample, matching is performed using a secure multi-party computation protocol.
At the end of the authentication process, the nodes learn whether the biometric authentication sample matches the template. This indicates that, with high probability, the two biometric datapoints are from the same person. Additionally, a match reveals a different encrypted shares of the authentication key to each node, which forwards them to the user’s mobile device.
Once the device has received enough shares, it can use the authentication key to construct the user’s authentication token.