Launch HN: Xix.ai (YC W17) – Securely authenticate in web apps by face
I’m Emil, here with our team at XIX.ai (https://getxix.com/). We are building “Entry” - a biometric identity provider that enables secure authentication in web apps by face on desktops using web cameras. It supports SAML 2.0, OIDC Connect, and OAuth 2.0 standards and can be easily integrated into existing app or infrastructure.
Users can securely authenticate in web apps by face, using regular web cameras without compromising privacy and security.
Entry helps organizations prevent phishing, insider threats, and account takeovers by adding Entry as a biometric factor to their workforce SSO. Companies that employ many contractors or vendors to access sensitive information can prevent fraud by verifying biometric identity during authentication.
Developers can use Entry to verify their customers (password resets), strong-authenticate users during high-value transactions (pushing code in master; deleting data, etc.), or streamline the login experience. (documentation and self-serve are coming soon. Please reach out if you'd like to try it now)
We came to the world of identity and access management somewhat unexpectedly. In the early days, we tested different product ideas and frequently pivoted while focusing on problems that could be solved with our core expertise, computer vision.
During our trial and error period, we were lucky enough to work with the team at DeliverFund, a non-profit organization fighting the problem of human trafficking and child exploitation.
More often than not, the only clue an analyst has is a photograph of a missing juvenile. With that photo, they need to search through the web to find any ad or other indications that may lead to the child. To locate a missing child or a victim of human trafficking, they had to manually scroll through thousands of online ads to find a potential match.
To solve this, we built a set of scrapers that capture online ads, indexes them, and makes them searchable. We took all images and ran them through face recognition and object detection models. This enabled analysts to drag and drop a child's photo and see if they are being trafficked from ads online.
With internal expertise, we were able to build the tool back in 2018. And this experience got us thinking: a malicious actor will make a wide-scale surveillance system with enough resources. It’s not a question of “if,” rather “when.” While brainstorming a potential solution, we’ve realized that, fundamentally, this is an information asymmetry problem. A feasible solution must be market-based, user-privacy-centered, and optimized for perfect information.
Such a solution must satisfy a few criteria: a) has to use a face as a biometric modality b) must be valuable enough for a large number of people to use it c) biometrics must be securely stored and 100% controlled and managed by the end-user d) And it has to deliver an order of magnitude improvement in overall security and usability in comparison to existing solutions. This brings us to the world of identity and access management.
Passwords can be easily compromised. Additional factor authentication is either convenient but phishable (SMS/Voice/Backup Codes/TOTP/Mobile Push) or phishing-resistant, but inconvenient, expensive, and not widely adopted (FIDO-keys, Webauthn).
Biometrics is a perfect solution but by no means a new idea. After all, we are using it already on our mobile phones (fingerprints, FaceID), specific Microsoft devices with Windows Hello, and other desktop devices with fingerprint sensors.
However, four key challenges prevented biometrics from being widely adopted: a) the need for a specialized sensor - depth perception for cameras or fingerprint sensors b) 2D webcams are easy to spoof with replay attacks, printed attacks, and mask attacks. c) Scalability, reliability, and cost-effectiveness. Products with ML at the core are notoriously computationally expensive and result in low margins. Accura...
53 comments
[ 3.4 ms ] story [ 102 ms ] threadHow is this better/different than the face identification built into the major platform providers accessible via WebAuthN? My understanding was that WebAuthN was supported by the latest version of major browsers: https://caniuse.com/webauthn
Choose one.
The one problem I had was that face detection using the webcam is not be accurate, e.g., it can be easily fooled using a printed photo of the person or changing the webcam input to use a static photo. With WebAuthn, however, this is not possible because it connects to the device’s native authentication. On macOS, for example, it’s much harder to spoof Touch ID.
How would you go about preventing such problems? Isn’t it better to provide an Auth0-style SDK to use WebAuthn with SSO, or do you think using this cloud based image recognition system is as foolproof as the native options?
For SSO, Entry can be added as SAML 2.0 Factor today. I agree if we would not have solved the spoofing problem, taking the Auth0-style route for native platforms is the way to go.
> Entry addresses the spoofing issue from 2D input by using an anti-spoofing algorithm that processes a sequence of images obtained from a single camera to build an accurate 3d face reconstruction based on facial key points. Additionally, it estimates the pixel distribution of the input image to detect attacks. Aggregation of both methods achieves high accuracy for detecting attacks on face recognition systems.
They detect mask-attacks, replay attacks (put the phone with video into the camera; highjack a webcam input and send a pre-recorded video faking to be real-time from zoom for example), and, of course, still images.
Give it a try!
btw, https://gazepass.com does this as well.
The third party service we have now is well below expectations, so we would be glad to try out something new.
1: https://dev.to/unqlite_db/implement-a-minimalistic-kyc-form-....
Was there an audit but independent privacy focused organization done of your claims? Till then any privacy claims are just claims. New day, new privacy friendly face recognition that will website big corporations to do tracking in the name of "kyc" and security
Very curious to see what makes this anti-spoofing algo different, will read the paper with interest.
In reality, the production-grade security comes from a compound effect of three components: face-recognition, antispoofing for face recognition, and traditional controls of industry-standard protocols like SAML 2.0, OIDC, etc. Taking one of three out of the equation renders security nonexistent.
First, let me say that on mobile devices, I literally loathe Face ID. There are lots of reasons for this:
- Fingerprints are just more convenient. Apple, for example, argued the false positive rate way too high. For me, as a user, I'm more concerned about the false negative rate. I think Apple just wanted more screen real estate. They could've easily put the sensor on the back (eg like the Samsung Galaxy S8).
- I have poor vision. I have to look at my phone close, same with my computer. And no this isn't an issue of better glasses or surgery. This caused Face ID to fail because I'm not in the expected frame. So I have to hold my device further away and try again. This is incredibly annoying;
- Touch ID has a much lower false positive rate on whether to initiate a check. That's because you've pressed the button. Face ID has to guess and it guesses wrong (a lot);
- I can't speak for other manufacturers but Apple at least puts in arbitrary security controls like N failures mean having to use my passcode many times a day whereas with Touch ID it's actually super rare;
- Masks!
- Touch ID isn't dependent on sufficient lighting
More context: prior to Touch ID I didn't use a passcode on my phone at all. It was simply too annoying. Face ID, for me, is too close to having to use a passcode too often.
I mention this as context for why I personally think facial recognition as an authentication tech is a terrible user experience in many, many cases.
Desktop is probably a little better because issues like your face not being in frame are going to be less of an issue. In my case I still have to sit close to the screen but my face is still within frame.
Phone manufacturers make this approach more resistant to spoofing by using other sensors. You say you've spent effort to avoid spoofing and hopefully that's true. I would be concerned that there's only so much you can do with a single vision camera and no other sensors.
Phones (and tablets) also have the advantage in they have a single manufacturer. Desktops are still put together with independent peripherals. That's... less secure.
Lastly, it's not a given that someone using a desktop or a laptop has a camera that's facing them.
-> Fingerprints are just more convenient. Apple, for example, argued the false positive rate way too high. For me, as a user, I'm more concerned about the false-negative rate. I think Apple just wanted more screen real estate. They could've easily put the sensor on the back (eg like the Samsung Galaxy S8).
I agree, a matter of fact fingerprint sensor on the back of a phone is arguably the most efficient way to unlock a phone. With desktops, it varies quite significantly.
-> - Masks!
for what its worth, one user told us that they have successfully logged in while having a green mint facial care mask on..:)
-//-
By no means Entry is the best tool out there, nor we claim it to be so. Here are a few known flaws:
- if someone has two or three monitors and it is unclear where the camera is, it requires some time to get used to, which may be annoying - to your point, Entry will not work in a pitch-black room - Entry is by no means "fingerprints-fast": as a factor, Entry competes with the time it takes to reach a phone and click on push notification. For example, mean time to verify using Okta Verify (default mfa solution for okta sso) is ~21 seconds. For Entry it's 30 seconds. We still need to work on that (although our users still choose Entry over Verify, we ask to have both factors set up :) )
My current client uses Okta Verify. It takes 5-8 seconds from clicking "Sign In" on my laptop to receiving the Okta push prompt on my phone to unlocking my phone and clicking "Yes, it's me" and then getting the full authenticated post-Okta desktop landing page.
I'm asking because I've been in a similar situation (different area of computer vision) where nontechnical stakeholders are looking for assurances that the model is not going to fail under essentially unknown conditions. And same as you, we had some ideas, but it's hard to validate what best speaks to people, so was curious to hear if you had looked at it. Thanks!
Early on, we've conducted a handful of end-user interviews - knowledge workers, various industries, fluent with computers. We conducted a series of hour-long video calls, recorded them with permission to re-watch them later, and asked the questions like - how do you think about privacy? How do you think about the performance of faceID or similar? How do you think about biometrics and privacy? Will you be open to try a solution that uses your biometrics from an unknown vendor? Etc.
The result, somewhat surprisingly, boiled down to a few bullet points: 1. Performance- "If it works and I can log in, that's enough assurance." 2. Privacy and data - "Have an FAQ section or show in me onboarding that you don't sell my data for surveillance - that's good for me."
We've been prepared to answer the "SOC 2 Type2 -style" question regarding performance and data privacy, but no one really cared. What users did care about is "can I add this app to my account?" and other feature requests.
I wonder if / how the concerns will change for different use cases, e.g KYC.
It may also be a question of educating users about the things they should care about.
I don't believe this vague blanket claim. How much are you paying somebody who proves you wrong? A million dollars? No? Then I should assume anybody who can spoof this and would like a million dollars might do so unless the total value secured is assured to be less than one million dollars (in which case I expect this project will be gone by summer).
XIX ends up capturing a huge amount of facial recognition data and then storing it somewhere indefinitely in "the cloud" to inevitably get stolen and then no doubt we can expect a PR crafted apology and an insistence you've learned your lesson.
Every single time a person authenticates, video of their face is transmitted over the network. I have no doubt you'll say it's ephemeral and you don't store that video, but of course the users have no way to assure themselves of that, they just know they sent it.
Overall my impression is that this delivers markedly worse real world security than WebAuthn and has terrible privacy issues that can't be fixed.
As for the "overall impressions", It is usually recommended to try something first and then form an impression. Otherwise, it's just an opinion
This is probably the worst response possible, and makes me believe GP is correct, because you don’t have any real response to their critiques.
Also how can I try out what happens when you get subpoenaed by a government for facial data of specific users or all users?
A lot of people who would have given you the benefit of the doubt just got the opposite impression of your company after reading this response.
I really was hoping this meant that biometrics were stored on the client. But, from reading the comments here it sounds like they’re stored in the cloud. Storing my biometrics in the cloud is gonna be a no from me.
[0]: https://www.youtube.com/watch?v=n3dPBiQa5bw
Context: We are imminent super-users of facial recognition to perform proof of life verification for our new tontine pensions platform (see https://tontine.com).
Tentative agenda: Overview of the product
- Addressing individual concerns from HN comments- Q&A
How to hack someone relying only on biometrics:
- Craft malicious app that looks entertaining and record whatever biometrics you're recording
- Hand your phone to victim
- Congrats, you have valid biometrics data (2d, depth information, fingerprint) you can use to login as a victim! Even better, they can't change their face or fingerprints
You can invalidate old entries and detect variations but you still have a unsafer model. I can see a use for it if it's massively convenient (Eg. Detecting users in a physical location from CCTV) but if the user needs to take a selfie to login on a website, that could become annoying fast.