This story is over 5 years old.

Forget Fingerprints, Bionic Identity IDs You Through Your Friends

Everywhere we go, we're constantly proving that we are who we say we are.
June 7, 2014, 1:00pm

Image: Bionic Labs

Everywhere we go, we're constantly proving that we are who we say we are. In the identity-obsessed world, lose a wallet containing a driver's license and debit or credit cards, and you're pretty much screwed. Bionic Labs' new app, Bionic Identity, hopes to give its users an end-around to this problem by leveraging social circles to verify a person's identity.

The concept behind Bionic Identity, which recently debuted at Re/Code, indirectly originated after an interview Bionic Labs creator Dimitri Tkachev did with a deaf person. Tkachev said their mutual focus, eye contact, and facial expressions transcended his lack of knowledge of sign language.

"The same power of connection established between two people—the ability to quickly refer to past events, notice and remember mutual expressions, emotions, personality quirks—is what makes it challenging to replicate, yet easy to authenticate a person in a conversation over video, voice only or even text in a carefully controlled environment, facilitated by the growing strength and increasing coverage of modern communication networks," he said.

In situations where confirming authenticity of identity is either really important or time-critical, Bionic Identity selects two or more people, called "Guardians," from a pre-defined social circle. This circle is primarily set up in advance by users either on an Android or iPhone device. The app lays down a video or audio call lasting ten seconds for each Guardian.

Tkachev said that this "short, time-bound conversation" offers enough time for each Guardian to speak and naturally authenticate a user's identity, based on common interests, hobbies, memories, experiences, or even business deals. At the end of each call, Guardians have to make a simple choice, yes or no, to confirm whether they believe the person on the other end is the real user or someone else.

"The beauty of the process behind Bionic Identity is that your social circle (Circle of Trust) only gets stronger as you invite more individuals having different types of relationships and associations with you," Tkachev told me. "Today, it is quite common to 'trust' a small number of very close people (mother, father, wife, daughter, two or three friends), whereas with Bionic Identity we are redefining the notion of trust away from any particular individual whom you consider trustworthy today towards a distributed logic of a group of people."

Bionic Identity's social circle verification process can grow stronger as friends are combined from Facebook, colleagues and competitors on LinkedIn, family members on Path, Twitter and Instagram followers, neighbors, and so forth. Any of these individuals, regardless of the level of trust, can make mistakes in identifying users. Tkachev cited bad mood, sleepiness, rooted device, malware, and coercion as a few reasons for ID authentication errors.

As for how secure Bionic Idenity is against malicious hacking and other forms of tampering, Tkachev cautions that no system is impenetrable, but Bionic Labs is building at team capable of responding quickly as the app matures.

"We are leveraging military grade encryption and sound industry crypto and key rotation practices (TLS, Perfect Forward Secrecy, AES, ECDH) for transit, data storage and device side crypto," he said. "The mistakes are typically made in the actual implementation versus high level crypto definitions, as has been evident over the last several years."

_ "[W]hen we do ask for full or partial access to an address book, we believe we should have the appropriate processes and systems in place to safeguard this information." _

Tkachev intends to make public the full details and logic behind Bionic Identity's encryption choices for peer review. The goal is to exceed encryption compliance requirements, and reduce reliance on storage of sensitive information, such as date-of-birth, mother's maiden name, social security number, and other typical ID authentication measures.

The number of Guardians needed for authentication varies, depending on the importance of the task at hand. For a family matter like a credit card payment, it might require only one or two people. A large personal bank transaction or account password rest could require three or four Guardians. Large business transactions could have three, four, or more. Users, however, set the preferences.

Bionic Identity also offers anti-collusion protection with a proprietary algorithm. This would make it challenging for a bunch of Guardians to collude against users, which could prove useful in combating family fraud or business insider threats. Again, Tkachev suggests a larger pool of Guardians will only enhance these protections.

But, how practical is this technology in an age when many people don't answer texts, calls, video messages, or other forms of communication with lightning speed? A delay of this sort could be problematic. And if a users' friends and family are notoriously lazy communicators, the user could be a bit screwed.

Image: Bionic Labs

"Time is of essence, yet it's relative when you start thinking about how long it takes to wait for a call center rep, how many times you get transferred from one department to another, and how long it takes to answer all the security questions," said Tkachev.

"When someone’s wallet gets stolen it usually takes hours, days, or weeks to recover," he added. "If you are getting a new phone or trying to perform a bank transaction exceeding, for example, ten percent of the entire account, it seems to be reasonable to wait for two to five minutes to minimize chances of identity and property theft."

Bionic Identity claims it also works to safeguard users' address books, which is vital in this age of state surveillance.

"The address book historically has been one of the most valuable sources of social graph creation, and should be carefully guarded by any service asking to have access to it," Tkachev said. "Bionic Identity is not an exception, so when we do ask for full or partial access to an address book, we believe we should have the appropriate processes and systems in place to safeguard this information."

Since Bionic Identity relies on number and variety of Guardians, any success will depend on how many users download the app after its expected late summer release. On the upside, consumers will be able to use the web and mobile app versions for free because enterprise customers will pay a fee. But Bionic Labs will have a lot of competition: The authentication market is expected to balloon to a $5.45 billion industry by 2017.