[00:00:10] >> My name's Carter and I'd like to share with you today just Assia the product that my team members and I have created for privacy by design biometric authentication the team consists of myself IRCAM a Ph D. student in the mastermind behind Justicia Simon is a research scientist here I.S.P. Vladimir is a professor in our expert in cryptography and Wakely is the co-director of in our expert in system security so password base think cation most authentication these days is done with passwords and we're all familiar with the short comings users forget their passwords and users will use the weakest password they can get away with in reason across all their accounts talking to the manager of one doc you sign call centers for tech support guess how much time he said that their tech support spends on handling password reset requests 70 percent 70 percent of their time is just password resets so it's no surprise that companies have been looking to alternatives like biometric authentication as a solution to this after all you can't forget your biometric and you can't accidentally leave your biometric at home however biometrics raises a lot of privacy concerns and government has already taken action because of a law passed in the state of Illinois we've seen 6 Flags sued for collecting fingerprints without adequate customer consent under the same law Facebook and Google are also facing lawsuits for their use of facial recognition in the case of nest they actually disable facial recognition in all their cameras installed in the state of Illinois specifically to avoid this law Meanwhile activist groups like the Electronic Frontier Foundation have lawyers up and they're actively pushing back against the use of biometrics in places like airports and border security. [00:02:05] I also talked to the director of a retail accelerator and she showed me a lot of exciting technology being deployed in retail stores in order to understand customers and how they move through the store but they too are also facing a privacy problem and how can they collect this rich information to understand their customers without creeping them out I also talked to the see so Children's Healthcare of Atlanta and he told me a story about their hospitals before you joined the organization they ran a pilot program using fingerprint scanners and the end result is hard to describe as anything other than a disaster in their case the reason fingerprint scanners weren't a good fit for the hospitals is a large portion of their staff wear gloves so in order to use the fingerprint scanners they have to take off their gloves and because they're a hospital any surfaces that get touched have to be cleaned so now the employees are taking off the gloves using the scanner and then cleaning it and they do this over and over again one or 2 of them forget to put their gloves back on and now you have a health problem so the moral of the story from this is that there is no one size fits all biometric frothing cation of fingerprint might not be appropriate in a hospital but on the other hand in a data center where you're already checking employee badges can geometry can be that little extra something just to make sure you someone can't hand their badge to someone else. [00:03:34] So from talking to people in industry and through our customer discovery we identified 3 key pillars that we build just to see around which we believe are necessary in order for biometrics to truly replace passwords and not just be an add on we need privacy for data compliance thing G.D.P. our data minimization we need recovery so our tech support isn't spending all their time handling password reset requests and we need life in this detection talking to the founder of a company of that secures access to critical infrastructure and unmanned facilities his number one concern with using biometrics is making sure someone can simply hold a picture up to one of these cameras and gain access to the facility. [00:04:16] So how does just to see a work in a nutshell using an app in the client device we scan the biometric and then this runs through a pipeline completely in the client device and on the other end comes out a secret the secret is the only thing that we generate and it never leaves the client device once we had this secret we can use it for encryption establishing secure lines of communication and so forth what makes us unique from competitors is 2 key aspects the 1st aspect is that our secret cannot be reversed back into the original Bio metric if someone were to break into a device and steal one of these secrets they would not for example get a face out of that the 2nd key difference is that our pipeline is completely to the type of metric what I mean by that is that we can handle face voice faced and voice fingerprint and so forth using the same pipeline the way we achieve this is by placing a machine learning model at the start of our pipeline as long as whatever type of biometric we're using has a signal and we have training data we can build a model that extracts the signal in feeds it through our pipeline and know when I say training in this case I do not mean per user training we train once for the type of metric such as face and that model is ready to go the moment hits client devices we currently support face and voice and we're adding support for fingerprints. [00:05:41] In terms of how we reach our customers we are a service in the cloud we can interface directly with new applications in the form of the next DK or for existing applications we can speak common authentication protocols like Open ID connect and Microsoft Active Directory so when one of our customers finds themself in front of a judge being asked what do you do to minimize the data you collect on your customers our dream is for them to be able to say we use justice. [00:06:12] We currently have a minimal viable product implemented in Android we had patents and provisional patent surrounding the technology and we have a 1st customer lined up as our next steps we're hiring a developer to build an i O. S. version of the app and we have that identified several vertical markets which we're engaging with to find additional customers and with that I'm happy to take questions thank you but I. [00:06:49] Hate Group thank you. So yeah there are a lot of competitors obviously for the biometrics there's always that as an opportunity is there for a while. What. Do you view as a primary or a couple of her competitors I'm sure you're probably too. Right so in terms of competitors there are some companies that do their biometrics in-house and then there are some companies that use 3rd party services in both cases privacy is surprisingly under considered one favorite tactic is to kind of push the privacy problem onto the customer so basically the 3rd party provides a service and it's up to the customer the company using it to figure out when and where to store data. [00:07:45] The other companies that do consider privacy they tend to try to tackle it similar to how you would other private information like credit cards so when they do that what tends to be the end result is you end up with a centralized database and that's basically the crown jewels you have all the biometric data in one place which granted is probably better than having it on encrypted all over the place but you're still putting everything in one location which is a prime target for hackers and I don't need to cite many news articles to motivate why that gets leaked anyway so the key difference are the key factors that differentiate us is that we built from design from the ground up around these 3 key principles are biometric authentication so privacy is built into the system. [00:08:37] Just trying to make sure I understand you decide when you look at the biometric measurement and you can read a secret right what what prevents an attack surface where you know I basically hack in the pain that secret right digitally and then I use it to be used to log in through open I do right so in terms of protecting the secret so we purposely keep this notion of secret vague because it can be anything it can be a symmetric key it can be in our say keep air and in terms of how you protect that you protect it similarly how you would protect any other secret on a client device So for example you sign into Facebook you get some token so that way you don't have to keep providing your username password over and over you might put that in a key store manager and might be placed into a trusted to trusted T.P.N. in the client device so there's actually no difference in the handling of the secret compared to have secrets are currently handled so I think this is an extension of that the user experience that you just walk through. [00:09:47] You know the secret is created and never leaves the device but you sort of talked about logging in from multiple places right. How does that you know I guess how does that work and how does that square with what you said about not being right you copied right so one example of a secret you can use which is what we use commonly is a asymmetric keep there so in that case the secret becomes a private key that stays on the client device and then you also build a or you create a corresponding public key that can go to a server like that just to see a server and then we can do public private key off to verify that you hold the private key without revealing it. [00:10:32] Just to go back the terms of differentiation it's like. Device vendors. Fingerprints things like that so the impression from this is that right. To the Top different. Than this is right so it depends on which competitor you look at specifically so for a lot of competitors that do this kind of client server thing cation privacy is a key differentiator. [00:11:10] A good one to compare against as Apple face ID and Touch ID Those are very private set ups but the way that they achieve their privacy is that they tie the better the biometric very tightly to the device so if you lose the device then you have to fall back to something else like a password to reenroll on the new device by solving kind of this privacy problem and by crane this pipeline we can achieve a similar privacy to face ID but we're no longer tied tightly to the client device client gets a new device and as long as they can present their biometrics they can regenerate their secret in recover their identity. [00:11:53] So again just want to make sure I think I understood what you said so when these secrets are created those are stored in your instance in the cloud so the secret is stored on the client device but because we can do things like asymmetric key pairs corresponding public key can be put into the cloud if you so if that if that's I guess in the cloud that's an attack surface and I just was curious as to given the you had Gen one product on Android are there any early customers or people using this terms of yes or friction invalidation right so we do have one customer lined up but we're still in the process of integrating with their application they're relatively new companies so they're craned their application as they integrate with us. [00:12:44] If I was a buyer of this right and you're trying to sew it back to there's tons of these solutions understand why you're describing this as a better solution how how would you convince you know a buyer that's already adopted some authentication right so it depends on what industry they're And I think the easiest sale is if they're in an industry with compliance So for example finance where they're already dealing with things like G.D.P. are. [00:13:11] In fact I would be surprised in a lot of situations if the finance companies are already using biometrics except in very safe situations like voice for making phone calls. So in terms of how to make the cell to them privacy is an easy one if they have compliance and data minimization requirements recovery if you're someone like Doc you sign where your tech support is spending a lot of time doing password resets then you're making a sale in terms of saving costs and lightness for things like critical infrastructure or things done over the Internet where you're very concerned with someone trying to spoof using a image. [00:13:53] So just looking for your opinion in terms of the level of security how secure would you say you know your design is relative to say a 2 factor just curious as to how you score that right so we can we can use bio types of biometrics individually and we can also combine them so to give some example numbers let's use like false except in false reject as metrics so Apple face I.D. advertises one in a 1000000 so it would take about a 1000000 guesses to authenticate as someone else in our case we ran through our entire real dataset and we didn't find any false 6 ups so what we then did was we did some statistical calculations and we found that for just face the chance is about one in 16000000 and then to try to imperiously validate that we took some cutting edge research from Nvidia engendering synthetic faces and this some research is so good that in human testing humans can't tell the difference between these synthetic faces and real faces we ran it for a few months using a high end G.P.U. and we actually empirically confirmed that it takes about 16000000 for face to find a match if we combine face with voice for example that number goes up to about 8000000000. [00:15:28] Thank you.