I’m Emil, here with our team at XIX.ai (https://getxix.com/). We are building “Entry” - a biometric identity provider that enables secure authentication in web apps by face on desktops using web cameras. It supports SAML 2.0, OIDC Connect, and OAuth 2.0 standards and can be easily integrated into existing app or infrastructure.
Users can securely authenticate in web apps by face, using regular web cameras without compromising privacy and security.
Entry helps organizations prevent phishing, insider threats, and account takeovers by adding Entry as a biometric factor to their workforce SSO. Companies that employ many contractors or vendors to access sensitive information can prevent fraud by verifying biometric identity during authentication.
Developers can use Entry to verify their customers (password resets), strong-authenticate users during high-value transactions (pushing code in master; deleting data, etc.), or streamline the login experience. (documentation and self-serve are coming soon. Please reach out if you'd like to try it now)
We came to the world of identity and access management somewhat unexpectedly. In the early days, we tested different product ideas and frequently pivoted while focusing on problems that could be solved with our core expertise, computer vision.
During our trial and error period, we were lucky enough to work with the team at DeliverFund, a non-profit organization fighting the problem of human trafficking and child exploitation.
More often than not, the only clue an analyst has is a photograph of a missing juvenile. With that photo, they need to search through the web to find any ad or other indications that may lead to the child. To locate a missing child or a victim of human trafficking, they had to manually scroll through thousands of online ads to find a potential match.
To solve this, we built a set of scrapers that capture online ads, indexes them, and makes them searchable. We took all images and ran them through face recognition and object detection models. This enabled analysts to drag and drop a child's photo and see if they are being trafficked from ads online.
With internal expertise, we were able to build the tool back in 2018. And this experience got us thinking: a malicious actor will make a wide-scale surveillance system with enough resources. It’s not a question of “if,” rather “when.” While brainstorming a potential solution, we’ve realized that, fundamentally, this is an information asymmetry problem. A feasible solution must be market-based, user-privacy-centered, and optimized for perfect information.
Such a solution must satisfy a few criteria: a) has to use a face as a biometric modality b) must be valuable enough for a large number of people to use it c) biometrics must be securely stored and 100% controlled and managed by the end-user d) And it has to deliver an order of magnitude improvement in overall security and usability in comparison to existing solutions. This brings us to the world of identity and access management.
Passwords can be easily compromised. Additional factor authentication is either convenient but phishable (SMS/Voice/Backup Codes/TOTP/Mobile Push) or phishing-resistant, but inconvenient, expensive, and not widely adopted (FIDO-keys, Webauthn).
Biometrics is a perfect solution but by no means a new idea. After all, we are using it already on our mobile phones (fingerprints, FaceID), specific Microsoft devices with Windows Hello, and other desktop devices with fingerprint sensors.
However, four key challenges prevented biometrics from being widely adopted: a) the need for a specialized sensor - depth perception for cameras or fingerprint sensors b) 2D webcams are easy to spoof with replay attacks, printed attacks, and mask attacks. c) Scalability, reliability, and cost-effectiveness. Products with ML at the core are notoriously computationally expensive and result in low margins. Accuracy also decays with data growth (more faces = higher chance of false positives), regressing the security over time. d) Privacy. How to avoid having a copy of my face on every website/SSO I login?
We’ve spent the last two years solving those challenges, and we’re happy to present to you Entry. It works with a regular desktop webcam and doesn’t require installing additional software. We’ve developed several anti-spoofing layers to make sure the system is secure. Entry is compliant with CCPA/GDPR and supports users from the state of Illinois ( arguably, the strictest biometric legislation in the USA)
Please give it a try https://getxix.com/. We’ve rolled out a public Okta instance with Entry set up as a factor to showcase it. We support Okta SSO out of the gate. Others (or working with OpenID Connect) require talking to support.
If you’d like to add Entry into your SSO, use it for your customers, or secure high-value transactions, let us know. Documentation is coming soon, but we can help now.
by Andrey
Azimov