The fintech startup Aximetria developed a new private keyless voice authorisation technology for mobile banking. Voice authorisation completely obviates the need for private key generation and is sufficiently ingenious and pragmatic an approach, to secure monetary transactions.
Currently, there are many different mobile wallets on the market and each of them is built on a particular method of storing and working with private keys. The basic principle of operation of any wallet is remote or local storage of a private key, followed by password protection and/or additional physical protection.
The classical approach (besides the question of trust to the remote storing) has at least one major drawback: if you forget your password or lose it, access to the wallet can be lost forever. This problem can be solved by using the protection factors of the user’s biometric information, like voice.
In the case of the use of biometric identification technology, the accuracy of which is high enough for 100% error-free identification, it is necessary to use a database of voice samples – which can also be compromised or attacked. Aximetria’s method, however, does not store voice samples. It preserves the possibility of identification through the use of a two-level neural network, with the help of which the identification first takes place and then the private key is generated.
Thus, in order to preserve the benefits of an individual wallet and without having to store either a private key or a sample voice database, you need to save key information in such a way that it will not be accessible to anyone except the actual carrier of this biometric information or, as in the case of keyless technology, will be out most of the time (when the wallet is not in use), and will be generated only when necessary.
Aximetria was able to achieve the following main parameters of the keyless technology:
· Does not store voice print of registered users
· Does not store private keys of registered users
· For the registered user, its voice returns the same private key
· Allows you to register a new user
· Allows you to retrieve the private key of the registered user by his voice print
The current state of our technology enables you to keep a single secret for each user. To resolve this restriction, coupled with an optional additional level of protection, the following approach can be used. The user’s secret is signed with a symmetric key, provided by the user both during registration and during authorization. The signature key is not stored on the platform’s side. Using different keys allows you to save several different secrets (one key = one secret) for the same user.
The user’s secret, along with the signature, is represented as a binary string. Each bit is encoded using the matching/non-matching voice print of the authorizing user to a predetermined known print. The next level of such an approach will be the replacement of a check for compliance/non-compliance for a similarity/non-similarity check with a predetermined threshold. This improvement will eliminate the necessity to store the voice print of the owner’s secret in any form.