Biometric credential should never be stored online. Sensitive data such as a person’s unique biometric signature should never leave a trusted device nor should it be stored in a central repository that is a high-value target for hackers. The recent OPM hack has shown us that even the government isn’t safe when it comes to a target as juicy as a biometric signature repository. Therefore the end goal of any biometric authentication provider is to preserve user privacy and force hackers into the far more difficult practice of having to target every single device out there in order to obtain a payoff.
What’s the right way to run a HYPR-secure biometric cloud? First of all, validation of the biometric signature (stored safely on-device) should take place on the client side, whereas user credentials should be tokenized and validated on the cloud. HYPR server-side valuation for enterprises that provide online services can take place on premise, on cloud or in a hybrid model. For authentication across the Internet of Things, validation with the embedded HYPR SDK does not require an Internet connection.
The HYPR Platform was conceptualized with security, interoperability, and ease of implementation in mind. Here are some of the platform’s tenets:
- Biometric information should be isolated and stored only on a user’s device.
- Only a Trusted Execution Environment (TEE), Trusted Platform Module (TPM), Secure Enclave, etc. – should be used to store biometric information.
- Relying parties will have control over what biometric authenticators they utilize so long as the sensors communicate directly with trusted zones sequestered from the device’s main operating system.
- These relying, or third parties, can choose from among any compliant fingerprint sensor, voice analysis, iris scanner, facial recognition, or other biometric hardware.
- No third party working with HYPR may store or centralize biometric data in a central repository.
Once these basic conditions are met, HYPR can deploy a biometric validation server for enterprises in an On Premise or SaaS model.
- In either easy set-up model, validation of biometric credentials occurs in the cloud but the credentials are never exposed to the Internet’s insecure environment.
- HYPR server products feature an easy to use and query REST API as well as support for AD and RADIUS.
- Biometric tokenization for authentication can occur in an asymmetric FIDO UAF manner or in HYPR’s proprietary B-OTP, or Biometric One Time Password, mode.
- HYPR servers also support FIDO U2F for Universal Second Factor compliant hardware.