The idea of using biometrics as an authentication mechanism was around for many decades, largely popularized by science fiction, which in return, challenged the minds of technologists making fiction a reality. What used to be a holy grail of security discipline, today biometrics were proved plausible to exist.
Face recognition, as a contactless method of authentication, delivers proverbial “10x improvement” to passwords, logins, one-time passwords codes, MFA, and such. In order to strike the perfect balance between security assurance and user experience, the underlying technology stack must address a few key issues: vulnerability to spoofing attacks, imbalanced classes in training sets resulting in “biases” of face recognition models, and most importantly, privacy and civil liberty concerns.
02. Facial Recognition
At the core of Entry is the face recognition model with rich internal data representation, that enables recognition and authentication of users, who created accounts with Entry. Unlike many others, the model was trained using the proprietary dataset that was collected with user consent and specifically for Entry. It addresses the core issues with existing academic datasets used in production: imbalanced classes. The resulting model achieves less than 10% deviation between classes and built-in visual data quality control ensures data consistency. Every time a user logs in, the model gets better and better. In order to make the system robust, Entry uses a secure and scalable face search engine and blazingly fast face detectors. All that makes the process of authentication extremely fast delivers delightful user experience.
03. Safety and Anti-spoofing
Anti-spoofing is a set of techniques that are used to protect against a variety of attacks such as printed attacks, replay attacks, or mask attacks. Entry addresses the spoofing issue from 2D input by using an anti-spoofing algorithm that processes a sequence of images obtained from a single camera to build an accurate 3d face reconstruction based on facial key points. Additionally, it estimates the pixel distribution of the input image to detect attacks. Aggregation of both methods achieves high accuracy for detecting attacks on face recognition systems. Today, the probability of an attacker gaining access to an account is 1:1,000,000 which is on par with iPhone’s FaceID. The anti-spoofing algorithm is getting better and better every time someone uses Entry.
04. Privacy
The privacy of an end-user is of utmost importance to XIX. Entry as a product was conceived as a solution to the privacy issue and abuse of civil liberties. Our team has 30+ years combined of experience in computer vision and face recognition technologies. XIX has developed an expertise on this topic by spending countless hours of research, writing hundreds of thousands of lines of code and shipping dozens of production systems. With the benefit of knowing how things work, comes the benefit of the most optimal solution. Lessons from history show us that any emerging technology with such potential will always be abused by those in power. Banning an emerging technology from being used does not work. We believe that the only way to address the privacy issue is by using market mechanisms and restore information asymmetry. The goal of entry is to enable users to control their biometric data, decide with whom to share it, and have exclusive access to date. The end goal is to get adoption to the point, where it makes no sense for any government or corporation to build a system themselves like there is no point in building a search engine today. When a user creates an account with Entry, they can opt-in and opt-out from web apps, without actually “sending” biometric data to anyone. As a user, you maintain ownership of your data, biometric data, and content. XIX does not access or use your data for any purpose without your consent. XIX never uses customer data or derives information from it for marketing or advertising. And we never sell any customer data or information to others.
05. Security Controls
Entry leverages AWS instances to deliver encrypted storage and data processing. AWS complies with ISO 27018, a code of practice that focuses on the protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance about ISO 27002 controls that are applicable to personally identifiable information (PII) processed by public cloud service providers. For more information, or to view the AWS ISO 27018 Certification, see the AWS ISO 27018 Compliance webpage.