What is an Eyeprint?
The Eyeprint is comprised of micro features in and around the eye, starting with the blood vessels that are visible in the whites of the eye. Biometric scientists with deep subject matter expertise refer to the human biological features used in the Eyeprint as "scleral vasculature, ocular and periocular micro-features." Just like fingerprints, those blood vessel patterns and other micro features have many feature points and patterns that can be used to authenticate an individual. In addition, these patterns and feature points are highly stable over time.
Because Eyeprint ID uses both blood vessel patterns and other micro features, we call it a multi-modal solution – one that uses two biometric modes. The addition of the other micro features in 2015 strengthened the accuracy and usability of the technology.Read more on the multi-modality of Eyeprint ID
What is not an Eyeprint?
The Eyeprint does not use the iris, the colored ring in the center of the eye. Iris recognition technology today typically requires a near-infrared camera to read the patterns in the iris. In contrast, the Eyeprint can use a normal front-facing smart device camera.
The Eyeprint also does not use the retina, which is the layer of tissue on the back inside of the eye. Because of the location of the retina inside the eye, retina scanning requires special hardware that is not currently available on mobile devices.
See Biometrics 101: The Eye and its Biometric Applications for more information on the different parts of the eye.
How Does Eyeprint ID Work?
The first time someone uses Eyeprint ID, they create an enrollment template. Eyeprint ID uses the regular front-facing smart device camera to capture images of the visible blood vessels and other micro features of the eye. It segments and enhances those images, detects and extracts feature points and patterns, and then discards the images. The template is obfuscated, isometrically scrambled and encrypted on the device.
Also on enrollment, a user identifier chosen by the application owner (bank, payment company, etc), is encrypted and stays in an encrypted state. The user identifier can be any piece of information designated by the financial institution. It can only be decrypted with the REZA Key, which in turn can only be generated with a successful Eyeprint verification.
During verification, the same steps for image capture, processing and encryption with the device ID apply. The data is then compared to the encrypted enrollment template on the device. Upon successful match, a key is generated which decrypts the user data and authenticates the user.
Note that Eyeprint ID is a verification solution rather than an identification solution. Verification looks at a previously enrolled template and says, “Yes, this person’s features match the data in the template.” An identification solution will look for a match of a person’s features against a database of templates to determine who that person is. For more on verification vs identification, read our blog post on the topic.
How Does Eyeprint ID Work Within My Mobile App?
EyeVerify provides the ability for you to define when the enrollment and verifications take place. As a result, you are able to apply the Eyeprint ID technology to whichever use case you require (see some use cases here). You are also able to define the User ID’s used by the Eyeprint ID system, as well as other security options.
When the user initiates the action that requires authentication, the user is prompted to scan their Eyeprint. A successful match will result in the creation of the REZA Key, which is then used to decrypt the user data. The user data is sent back to you, and the user is authenticated.
In addition to the user data, EyeVerify provides a few other authentication tokens that you are able to use at your discretion. These are available for Android today, and will be available for iOS soon.
What Is the REZA Key?
The REZA Key, developed internally at EyeVerify, is a mathematical algorithm that we use to secure the enrollment template and facilitate matching. It ensures cryptographic consistency and ensures the authentication process hasn’t been compromised. The REZA key allows us to generate a unique and consistent representation of a biometric template, and it protects the biometric data with a high entropy encryption key – equivalent to a 50-character complex password.
The REZA Key also ensures the device hasn’t been tampered with or the template hasn’t been moved to another device.
How is the Enrollment Template Secured?
During the enrollment process, genuine feature points are chaffed with fake feature points. These are then whitened (reduced to a smaller set of relevant points), shuffled and salted using the unique device-ID. After these sets, the original data set is completely obfuscated. If the template were compromised, an attacker would find it impossible to get back to the original set of genuine feature points.
During the verification process, the genuine feature points go through the same shortening, shuffling and salting processes. Since the unique device-ID is the same, the verification features are scrambled to the same scrambled state of the enrollment template. The matching process is done in the scrambled state. A minimum number of genuine points is required for an authentication.
How Accurate Is It?
Results for Eyeprint ID’s accuracy in independent studies are 1/50,000 False Accept Rate (FAR) with a less than 2 percent False Reject Rate (FRR).
Note that we use 1/50,000 because Apple uses this FAR to describe Touch ID, and Google has also required this FAR as part of its fingerprint specifications for Android devices. The False Accept Rate can be adjusted up or down, with a resulting impact on the False Reject Rate. If the FAR is set to a less stringent 1/1,000 (PIN replacement) or 1/10,000 level (password replacement), the FRR will drop as well. The different FAR settings impact the verification speed, and you can balance your security requirements against your performance requirements. Download the Accuracy Study.
How Does Eyeprint ID Prevent Spoof Attacks?
When someone who is not the authorized user attempts to authenticate using a photo or video of the user, that is called a spoof attack. Eyeprint ID uses a decision engine that incorporates several different detection algorithms to determine the likelihood that the verification event is a spoof attack. You are able to select your spoof detection settings to be fastest, strongest, or balanced. The decision engine continues to evolve as new spoof detection algorithms are developed.
How Do I Use It?
Eyeprint ID is a Software Development Kit (SDK) that is simple to integrate into your existing Android or iOS mobile application. We find that most companies take no more than a week to integrate the technology, and some do it within hours. The length of time typically depends on the resources you have available.
Most partners spend most of the time on testing, customization of the user interface and security review rather than the actual integration.
EyeVerify provides support to contracted customers at each phase of the integration.