FAQ

Answers to commonly asked questions.

What is the Keyless Authentication App product?

The Keyless Authentication App is a standalone mobile app that enables users to seamlessly use their mobile devices to authenticate on websites, services, and external providers. See the Keyless Authentication App Offering for more details.

What is the Keyless Network?

The Keyless network comprises of different server nodes which store the encrypted secret key and biometric information of the users. They interact with the user devices to compute the ‘closeness’ between stored biometric templates and the authentication samples of the users.

Why do I need the technology that the Keyless provides?

Keyless secures user data, keys, and identities without the use of passwords and enables users, customers, and workforce to seamlessly and securely authenticate to online services, websites, and providers. Keyless provides the convenience of a unified experience across multiple devices where the user can use their biometrics for authentication and, optionally, key management.

What are the advantages of Keyless protocol over traditional biometric authentication systems?

Usability, security, and privacy. Keyless protocol allows a user to authenticate using facial features from any of the user’s devices, without having to remember any passwords or PINs, and interacting with systems like digital payments and online banking. It is designed to support several biometric modalities (e.g., fingerprints, iris, retinal scans, and behavioral biometrics), which will be included in the future.

The user keys and data, including the biometrics used for biometric authentication, are stored on Keyless server nodes in a secret-shared and encrypted fashion. The user device, together with their biometrics, is the only way to legitimately access secret keys and biometric information. Nobody else can access the user information or biometrics, not even the Keyless network.

This approach does not contain the typical central honeypot with user information that could be stolen during a data breach.

Do I need internet connectivity on my phone to authenticate to my workstation?

In the case where you do not have internet connectivity on your phone, your workstation or both, you can use the Keyless Offline Mode to login. This is done by simply scanning a QR code on the workstation and inserting a TOTP generated by the Keyless Authenticator app.

How does Offline Mode work?

Keyless uses a decentralized PIN to enable offline mode. This pattern does not rely on a shared secret model that is centrally stored and vulnerable to attacks. This is done by simply scanning a QR code on the workstation and inserting a TOTP generated by the Keyless Authenticator app. Offline mode can be enabled and disabled by the end user or by the administrator.

How does backup and recovery work?

Backup allows Keyless users to recover their account even if they've deleted and re-installed the Keyless app - without the need to re-enroll and without storing any biometric data.

Keyless users may backup their account through the Keyless mobile app as described in the End User Guide. The backup is less than 0.5Mb in size and is stored in the user's personal cloud account. It does not contain any personal biometric data.

The Keyless app will automatically prompt the user to recover his account when installing the app when it identifies that a backup has been previously created for this specific user.

Can I use Keyless technology on multiple devices?

Yes, every Keyless user can have multiple associated devices. The user is required to enroll to Keyless just once, and can then add any other device - regardless of its hardware and operating system. Enroll once, user everywhere!

Can I use my own mobile app, or do I have to use the Keyless Authenticator app?

If you would like to embed the Keyless authentication experience in your own branded mobile app, then you can use our Mobile SDK.

What federation services do you support?

Keyless supports SAML, OAUTH2, and OIDC.

How do Keyless-enabled apps choose Keyless nodes to interact with?

The apps can either choose the set of nodes from the network randomly or based on enterprise policies. The policies can be pre-defined before the instantiation of the protocol. If needed, the policies can also be updated and correspondingly the user can interact and send the encrypted shares to the new set of nodes in the network after the policy update.

What kind of secret sharing scheme is used between Keyless nodes?

The seed value and the biometric template are shared using Shamir’s Secret Sharing among the Keyless nodes. The secret sharing scheme is chosen so that

each of the secrets is split into several pieces. A number of these pieces is required to reconstruct the secret. Each share is encrypted and then stored on one node. No information is disclosed if one has access to less than the required number of shares.

What is the Keyless Protocol?

The Keyless protocol specifies the cryptographic operations carried out on the user device such as secret sharing and encryption of seed and the biometric template along with the different mechanisms for interaction between the user device(s) and the Keyless network nodes.

Keyless secures user data, keys, and identities without the use of passwords and enables users, customers, and workforce to seamlessly and securely authenticate to online services, websites, and providers. Keyless provides the convenience of a unified experience across multiple devices where the user can use their biometrics for authentication and, optionally, key management.

Can an attacker spoof the biometrics and compromise the system?

In order to attempt to spoof the system using compromised user-biometrics, the attacker also needs access to the enrolled trusted device of user. The Keyless Network checks if it the device is enrolled and is authenticated every time the user tries to authenticate themselves to the system. So, the spoof attempt needs to be performed before the stolen device is revoked by the user. Additionally, Keyless uses liveness detection techniques to detect and blocks spoofing attempts.

Why is the device authenticated each time the user tries to authenticate themselves?

This is to mitigate a common and major attack vector where the adversary tries to attack the system from their own device. The adversary can not use any device that has not been enrolled to authenticate to the network, the device needs to be enrolled first and authenticated every time the user tries to interact using the enrolled device with the Keyless network. The device effectively acts as a two-factor authentication token.

How does the Keyless Network respond to Denial-of-Service (DoS) attacks?

To perform a Denial-of-Service attack, the attacker needs to perform such an attack on all the Keyless nodes simultaneously however such an attack is extremely difficult because of the distributed nature of the Keyless network. As long as a threshold number of servers are available, the availability of the Keyless network is ensured.

What biometric modalities does Keyless support?

Currently, Keyless supports face recognition. However, the protocol is designed to allow several biometric modalities including fingerprints, iris scan, and retinal scan.

Why is the device authenticated each time the user tries to authenticate themselves?

This is to mitigate a common and major attack vector where the adversary tries to attack the system from their own device. The adversary can not use any device that has not been enrolled to authenticate to the network, the device needs to be enrolled first and authenticated every time the user tries to interact using the enrolled device with the Keyless network. The device effectively acts as a two-factor authentication token.

What happens when biometrics change, like growing a beard, shaving etc?

Keyless automatically updates the user’s biometric template over time to account for natural changes in the user physiology and appearance. The Keyless network accepts updates to the user template only after successful authentication.

Are the metrics used for Biometrics in Keyless reliable?

Keyless captures the facial features and extracts embeddings from the captured face using a neural network, the extracted embeddings are used for seed and key generation. The biometrics are as reliable as the capture and extraction of features are.

Can someone use a photo against the camera for facial recognition?

Keyless supports modern liveness detection techniques to detect that a picture is in front of the camera, and rejects the authentication attempt. These techniques seek to allow a biometric system to determine whether the biometric data used for authentication is from a living person, rather than from a photo, a mask, or a video. Liveness detection can be passive or active.

With passive liveness detection, a face recognition system uses minute face movements due to breathing and natural changes in expression to determine that the biometric data being extracted is from a live individual rather than a photo or a mask.

Active liveness detection involves a challenge-response mechanism: the authentication system asks the user to perform a randomized set of actions (e.g., look up, look left, blink twice), and checks whether the user has performed these actions correctly. These mechanisms prevent the use of pre-recorded videos of the legitimate user for the purpose of circumventing an authentication system.

Is Keyless GDPR compliant?

Yes, Keyless conforms to the GDPR principles of lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality and accountability. The user knows the flow of all his information in the system and so Keyless is transparent and lawful. The user biometric data is encrypted and shared among all the servers, the servers do not (and cannot) use the encrypted shares for any other purpose except storing meeting the second principle. The user stores no more information than what needs to be stored. The information stored in the system is updated by the user, its accuracy and updates are all controlled by the user and Keyless does not process or utilize the stored information in anyway. The different cryptographic tools used in the Keyless protocol ensure that the data remains confidential and is available to the user at all times.

How does Keyless compare with other biometrics solutions?

Keyless uses secure multi-party computation to match the template with the authentication sample. Specifically, the Keyless protocol implements “comparison” between encrypted biometrics, and the secure multiparty computation together with biometric extraction is optimized to work in tens of milliseconds.

How is Keyless different from FaceID and other ‘local’ biometric solutions?

Biometric matching is performed on our nodes, rather than on a device that is potentially in the hands of the adversary. There are several security issues associated with local authentication: (1) the authentication result cannot be trusted in the network, and therefore cannot be trusted by the network, for instance, to release shares of cryptographic keys; and (2) if the device is physically in the hands of the adversary, it is possible to bypass authentication by editing the content of the device’s memory. Keyless addresses these and other issues by performing matching in the network, rather than locally on the user’s device.

Can I Run Keyless Services Myself?

We understand there can be situations where you'd prefere to manage the Keyless Stack yourself instead of relying on Keyless Infrastructure to do the heavy lifting.

For this reason we're making available to customers the possibility to deploy Keyless services on Kubernetes. To do so please check out the link below

Last updated