Skip to content

Main features

This section presents the technical features and differentials of das-FaceQR. These differentials are mainly based on the concepts of security and privacy.

Security

The security of the das-FaceQR service is based on 4 principles.

  1. High performance biometric engine.
  2. Encryption of biometric information.
  3. Valueless authentication.
  4. Use of double factor authentication.

High performance biometric engine

dasFaceQR leverages a top-notch high-performance biometric engine to generate the biometric information associated with a person. This engine has been developed by Veridas from scratch using the latest Artificial Intelligence technology, and was ranked as the third best biometric engine in the world by NIST on April 4, 2019.

Encryption of the biometric information and digital signature

The biometric QR generation process allows obtaining an encrypted mathematical representation of a person's face as a string of bytes. This means that anyone managing to read one these credentials will not be able to obtain any personally-identifiable information out of it.

Alt

It is not possible to retrieve a person's face image from the biometric vector. In other words, the mathematical operation that transforms a face into a biometric vector is irreversible (assimilable to a "hash").

The encryption of the biometric vector resulting in the biometric credential provides an additional layer of security. To do this, a 32-byte key is used. Currently, the encryption process uses a unique key, known exclusively to Veridas.

The steps to transform a image of a person into a QR are detailed in the diagram below.

Alt

  1. The image is provided as input to the biometrics model and returns a 512-dimensional vector that is called the face biometric embedding
  2. The biometric embedding is signed and encrypted into what is known as a biometric credential. The encryption is done with a different key for each veridas client, providing an additional level of privacy.
  3. Finally, the biometric credential is encoded as a QR. This could be read using any smartphone.

Considering the dimensions of the biometric embedding and the precision of float16, the total number of different possible credentials comes to a total of 10^2471. This number is astronomical because the number of atoms in the universe is 10^82.

Why is the biometric vector encrypted if the vector itself is an irreversible byte string?

Additionally, multi-tenant encryption is necessary to prevent the customers (with access to the on-premises instance of das-FaceQR) from using the biometric QRs of other customers. Currently, Client A can take a biometric QR generated by Client B and perform a biometric validation process if they have an on-premises instance of das-FaceQR. In any case, Client A and Client B can not access the user's biometric information.

Value-less authentication

das-FaceQR introduces the concept of "valueless authentication" or value-less authentication. This concept refers to the null importance of the loss of the biometric QR.

  • No one -a person or an automatic system-, even Veridas, can recover the user's facial image.
  • Only the Veridas software can retrieve the biometric vector
  • From the customer's point of view, the loss of the biometric QR does not expose any

personal data of its users (except in the case that they are added as part of the contextual data

Double factor authentication

Currently there are different authentication mechanisms in applications. In general, they use at least one of the following elements.

  • Something the user knows: It is the usual case of authentication by email and password. In this scenario, the application stores these two data, where the password is known -ideally- exclusively by the user. In this situation, the application has access to user information, for example the email, which does not have to be necessary for the consumption of the service offered by the application.
  • Something that you are: It is the usual case of biometric authentication (facial, fingerprint, etc.). In this scenario, the application stores the registration biometric information, in the form of an image, biometric vector, or other. As in the previous case, the application has access to user information, for example the image of the face, which does not have to be necessary for the consumption of the service offered by the application.
  • Something you have: Usually used as a complement to the previous two, with the aim of reinforcing security.

das-FaceQR is based on the use of two factors combined.

  • Something that you are, through the use of facial biometrics.
  • Something you have, by storing the biometric credential by the user in physical or digital format.

The validation through the das-FaceQR service implies that the user is who he claims to be while presenting something he has.

Likewise, if das-FaceQR is used in the context of digital payment services, the legal requirements established by the European PSD2 regulations could be met for considering that a "stronger authentication" has taken place. The element of inherence (something you are) is fulfilled by the biometric verification. This can be completed and converted in a reinforced authentication by taking the biometric credential held by the user as a token for the purposes of compliance with the element of possession (something you have).

Privacy

The main feature and differential element of das-FaceQR is that it offers the possibility of implementing an authentication system in which the application that the user uses to authenticate, does not have to store any personal (or biometric) data of the user.

Unlike the previously explained authentication mechanisms, the registration information can be guarded (stored) by the user, not by the application. As the biometric credential has no value itself, it can be stored by the user without limitation and risk free, allowing a qualitative leap in terms of the privacy of the user data.

Output formats

The code containing the biometric credential can be exported in several formats. For instance, it could be an image containing the QR or Aztec code, or a Passbook file readable with any of the widely available wallet applications.

Selfie image formats

Admitted formats for the selfie images are JPEG, PNG and TIFF.