Startup Badge promises to make biometric authentication safer, easier

Kaufman, who served at DARPA from 2005 to 2015 in various roles that included director of cybersecurity, said our online accounts are not as secure as we think, despite fancy technology used in authentication. “The hackers always win,” he said.

Apple’s Face ID, for instance, is a technological marvel. The iPhone creates a 3D map of your face and stores a version of it inside the phone’s “secure enclave.” When you use FaceID, the phone maps your face again and compares it to the one stored on the device, ensuring it’s really you. Your bank can use Apple’s Face ID, too, by storing a key that can only be locked by your device. It’s essentially flawless, except for a glaring problem: if you lose your phone or get a new one, you have to use a different method.

That means your bank has to let you prove your identity in other ways, like providing your mother’s maiden name, or the town where you were born. Hackers can get that information easily.

It’s essentially like having the world’s strongest vault, but always leaving a side door open in case someone forgets the combination.

Badge’s method differs in that no device is necessary to store a copy of your face, or fingerprints or any other method. If you used facial recognition to enroll in online banking, there would be a key generated based on your face that the bank would store. But the key wouldn’t be useful on its own.

That’s not just because it’s encrypted — Badge says it is even theoretically resistant to quantum computers — but because it really only matches the person’s face approximately. It’s sort of like a bouncer who is there to let in only one special guest into a night club. But the bouncer doesn’t know who the guest is until they show up at the front of the line. (This is how the concept got the name “fuzzy”). When the bouncer sees that person, they suddenly remember the code to the door lock.

Each time a person enrolls with a new Badge credential, a new bouncer is created, sharing no similarities with any of the others. So even if a hacker were to tie one of the “bouncers” to a particular user, it couldn’t be used to identify that person in other hacks, or unlock any of the person’s other accounts.

The benefit of the method is that users aren’t bound to a single device. They can use their faces as an authentication method from anywhere, and there’s no information stored that could be useful to hackers.

Usually, better security means less convenience and more complexity. In this case, it’s much simpler.

Badge shared one real world example: One of its clients uses it in an office environment where employees share workstations. When an employee sits down at a desk, the computer automatically unlocks based only on facial recognition and loads that person’s profile. But when they log in outside the office, they use facial recognition in addition to a PIN. If they forget the PIN, they can reset it from the office.

“We’re finally able to deliver the secure and private internet envisioned more than 40 years ago,” Kaufman said.

Badge has signed deals with Microsoft, Cisco, Okta, and others, charging customers on a per-user basis.