Andrew Bud has quietly cracked the core challenge within facial recognition security. "We've solved the central problem in biometric ID, and we are the only people to have solved it."
It sounds like a surprising claim, because, historically, biometric systems are defeated sooner or later when they try to detect replicas (spoof images) or replays (of video, from a recording). Those systems, when faced with the questions "Is this a real face?" and "Are we seeing this face in real time?" couldn't ultimately answer with any certainty.
Bear with me here because Bud is no ordinary executive. The current founder and CEO of iProov, he graduated in 1982 (with a first in both tripos) with a Masters degree in engineering from Cambridge University in England.
"I like founding industries," he says, and again, it's a claim not without merit.
Andrew Bud of iProov
Indeed, he created Zonephone (a forerunner in the UK of Rabbit) and is the inventor or joint-inventor of multiple mobile technologies, and credited for 13 patents, notably Radio LAN and DECT. For eight years, he was the head of mobile at Olivetti, when the organization was bigger than IBM (technical head at Omnitel Pronto-Italia, now Vodafone Italy). When the mobile industry wanted an industrial mobile payment method, Bud was already ahead of the game as the founder of M-Blox. He's also the co-founder and global chair of the Mobile Entertainment Forum. On top of that, he seemed, well, pretty quiet. Not so.
"I spent a year thinking about how to authenticate a transaction on a hopelessly compromised mobile device," he says. Criminals were able, at the time, to exploit a weakness in the authentication process for SMS mobile payments. By 2013, this had become a $1 billion industry-wide problem. "Then I thought, by extension, how does one really establish trust at a distance?"
The ramifications of that thought process for visual ID, biometrics and countering ID theft, false identity, and personality spoofing were far-reaching. Up until then, software developers had focused on authentication through the ability to match one instance of a face with a known true representation of that face. Bud thinks that premise was flawed from the very beginning.
"Previously, companies looked at how accurately they could try and match that face, but that was all wrong, because attacks are all spoofed. Faces are not a secret, secure credential to begin with, I mean you can find mine easily on LinkedIn. So, the problem is, how do I know you are the real you?"
Essentially, hackers were fooling the process every time, by either visually presenting a spoof face, or taking a snippet of recorded video and presenting it as though it were a live event; if the presented visuals matched the recorded visual closely enough, they were let in. No thought was given to the validity of the face being presented, thoroughly wrecking the plans of biometric authentication companies and causing untold reputation, financial and privacy security damage. But not for Bud.
Want to learn more about the technology and business opportunities and challenges for the cable industry in the commercial services market? Join Light Reading in New York on November 30 for the 11th annual Future of Cable Business Services event. All cable operators and other service providers get in free.
iProov's central innovation (which Bud also holds joint patent credit for) employs a two-stage process which eliminates the threat of spoofing or recorded footage. To gain access, to an app that requires biometric authentication, for example, the subject must present their face to the camera on their mobile device. First the face is illuminated by a uniquely coded color which can tell a real human face from a spoofed CGI representation. Then, a sequence of colors are flashed that specifically rule-out pre-recorded footage. iProov's patented process takes about two to three seconds, all told.
Want to see a quick demo? There was one at Finovate Europe this year, presented, of course, by Bud himself.
The technology has potential from Fintech to everyday password replacement and remote ID authentication. But is it a healthy, impenetrable solution? iProov recently held a six-week hackathon where an external agency was given access-all-areas to kick the tires. According to Bud, no one defeated the system, even though "we saw new attacks coming in that we had up until that point only theorized might be out there."
How does it stay healthy? Bud worries that the prevalence of more vulnerable face-recognition systems is teaching hackers new tricks, since during the learning process before a hack, the hacker remains unobserved. Theory is, if they remain unobserved, they will learn and adapt their strategies, "bank" them, and then deploy them when they can see a maximal business case. There will be no warning and the attack will be very comprehensive and mature.
"In order to observe hackers, the architecture needs to process authentication within the network, on the servers, and not at the device level," he says versus other approaches. This may bring his views into conflict with the FIDO Alliance, which according to Bud, sees such authentication processing as a privacy issue.
iProov is currently focusing on scaling up customer deployments. These include DMB Financial and HMRC (the UK government tax revenue department). It has an opportunistic view on funding, having just in June closed a round of non-equity financial assistance from an undisclosed investor and Microsoft Accelerator London, at an undisclosed valuation.
"I make a point of having a portfolio (of iProov business concepts) that I can use if I get more funding resources. But does iProov need more funding (per se, on that basis)? We have no need for financial assistance." It is understood that iProov is about to close an additional funding round.
Even then, Bud is not done. He has patented a new approach which builds on iProov's core competency with facial recognition and hybridizes it with ICAO9303, which is a standard that guides the use of machine-readable travel documents. So, one could use a mobile device with an NFC chip by tapping a passport to the phone, and authenticating to a requestor that way. The passport ID information is digitally signed, so the systems remains secure and works in theory.
"Verifying ID has a world-building feeling about it," says Bud. He reckons the company will be worth GBP $1 billion ($1.3 billion) within the next five years.
— Simon Marshall, Technology Journalist, special to Security Now