Authentication? Just a picture. We talk about it with the Italian startup ToothPic

Protecting your credentials and identity on the Net is increasingly a problem that we have to face on a daily basis, with ever more numerous attacks and ever increasing sophistication. The solution is often to use a multi-factor authentication system, but that is just as often impractical. We need to talk with Julius ColucciaCEO of tooth pictureto better understand how its technology can help both businesses and their customers and users simplify authentication processes.

ToothPic uses fingerprint (from cameras) for authentication

Being able to guarantee user authentication is increasingly a problem for all parties involved: on the one hand, the users of the services, who also risk their personal and financial data; on the other hand, the companies that provide the services, because the management of intrusions is an important problem from a technical, organizational, regulatory and reputational point of view. The problem is that the best measures from a security point of view are also the least comfortable to use. Therefore, finding a good balance between these two aspects is essential to obtain a better level of overall security.

Julius Coluccia

ToothPic was born as a spin-off from Polytechnic of Turin in 2017. Coluccia (pictured above) tells us that “the company was born out of a technology developed during research activity at Polytechnique that uniquely identifies devices equipped with a camera (we focused on smartphones and tablets, but potentially c is extended to any object equipped with a camera) because we will identify devices by a physical characteristic of their cameras.”

We had already met the company at CES 2020, where it presented its technology as one of the possible solutions to the problem ofauthentication. After two years, ToothPic is ready to debut in the market with several collaborations in the development phase. But how does its technology work?

“Cameras are produced with non-ideal manufacturing processes and these “non-idealities” result in marks left on the photos, comparable to our fingerprints because on the one hand they are invisible, in the sense that as ‘users we have never noticed that in the photos there are signals that can be extracted, and on the other hand because they are unique, because just like our fingerprints, they uniquely characterize a specific example of device”Coluccia tells us.

“It is a physical phenomenon, which is not linked to a process over which the producers have control and which is impossible to eliminate or clone. That’s the strength of our technology: it’s the fact that we leverage that feature to uniquely identify and credibly clone (because you can’t clone hardware) the device. An identifier protected by our technology is effectively tiltable: even if the device were “photocopied” on a remote device, even if the same model of the same manufacturer were taken, this device, having a different camera, could not give this accreditation .”

The ToothPic technology therefore analyzes the photographs taken by the device and searches for a “signature” of the sensor as recurring patterns of imperfections in the photos you take. These imperfections are typical of the sensor and can be found on all the photographs taken by it, which is why it is possible to authenticate the sensor thanks to photographs taken automatically by the ToothPic softwarewithout the framed subject having any relevance and without the user having to manually take the photos.

ToothPic autenticazione 600

It is quite a different model from the one adopted so far, although it is in the same vein. The methods of multi-factor authentication they usually try to verify one of the following factors: one of the awareness, for example an identifier such as a PIN code; one of possession, which certifies that the device you are trying to authenticate is in the possession of the user; one of identify, usually with biometric parameters such as fingerprints or face. Check two of these factors it is usually enough to have a good level of certainty that it is the right user (and not another) who is authenticating on the device.

Nowadays, the most used factor is that of awarenessvia passwords, but possession is also quite widespread: think, for example, of the combination of Number generator PIN and key that many banks offer (even if now the generation of numbers is more often entrusted to smartphone applications).

“The problem is that passwords were born forty, fifty years ago, when the need to authenticate online was limited to a few technicians in the world; now each of us has dozens, if not hundreds of accounts scattered across the Net and that is potentially impossible. to think that a different, complicated and unguessable password can be dedicated to each of them. implemented in different ways and it was basically always a trade-off choice between security and usability”explains Coluccia. “As proof, when the multi-factor authentication system was made mandatory, such as when accessing current accounts, each establishment did its thing with more or less satisfactory results from both points of view.”

“On the other hand, when the system is optional, as it happens for example on social networks or on well-known e-commerce or online payment portals, users tend either to be unaware that the second factor can be activated, or they don’t know it”. don’t feel the need until their credentials are stolen, or they don’t activate it because it’s inconvenient. So much so that the statistics of those who authenticate with a second factor on the main sites are never made public, because the percentage of adoption is very low. We have implemented our technology to be safe, and security here is given by the technology itself, but also comfortable to use: in fact, the user experience of those who use ToothPic is reduced to a simple click on the smartphone, therefore something extremely comfortable to use even for the user not accustomed to the use of technology.”

The reason most authentication methods, including ToothPic, rely on the property factor, so it must be combined with another, is that it is very complex to directly manage an identification factor such as biometric data: Acquiring and storing such data is prohibitively expensive simply because it extremely sensitive data whose theft would cause incalculable damage for the owner. For this reason, for example, the fingerprint authentication that many banks allow via their smartphone apps is actually not strictly a biometric check: the bank does not have access to the actual fingerprint, since this is managed by the operating system and the institution must therefore, to a certain extent, be sure that the control carried out by the customer’s device is correct. This is why when you change your smartphone, you have to authenticate yourself again with the bank: because the bank has no way of verifying that the fingerprint read on the old phone and on the new one is the even.

“Then there is the fact that biometric verification is indeed secure, but with all the limitations of the case. limitations such as size, which allows a small piece of fingerprint to be read, so much so that researchers from kraken they managed to breed with $5 worth of materials a fingerprint through a photo of the same left on the screen of a device and then managing to authenticate. This doesn’t completely destroy the use of fingerprints, but assuming it’s the most secure method we have is dangerous. So using a multi-factor system still makes absolute sense, just as we think it makes perfect sense not to frustrate the user using the object.”

ToothPic can (and, from what we’ve said so far, should) be used in conjunction with other methods to authenticate the user. The company has developed its own SDK which can be used to integrate its technology into applications for iOS and Android, with fairly fast development times. Coluccia also tells us how ToothPic technology can also be used to perform the fingerprinting machinesthat is to say the association of a unique and verifiable identity, in order to avoid fraud.

The Latins said in the middle stat virtus, virtue lies in the middle, and this remains true even today in the vast majority of cases, including authentication methods. ToothPic promises to greatly simplify the use of multi-factor authentication systems reduce this friction which often arises as the complexity of security policies increases and ultimately leads to a real reduction in security itself, as users look for shortcuts to avoid complexity. We will verify the fulfillment of these promises with the launch of the first services that will use this technology.