FindBiometrics President Peter O’Neill recently had the opportunity to speak with Aerendir CEO Martin Zizi and the company’s Chairman Pierre Pozzi, the makers of the NeuroPrint – one of the most ambitious and novel new biometrics technologies, which uses proprioceptive neurophysiology for authentication. The interview begins with an overview of NeuroPrint from Zizi, explaining how proprioception is used for identity and authentication purposes, and revealing the elegant inspiration behind the technology. The conversation moves to discuss the benefits of physiological biometrics like NeuroPrint, before delving into the cloudless technology behind Aerendir’s mobile authentication solution. The talk ends with Pozzi detailing the vertical markets Aerendir is targeting with NeuroPrint, shedding light on its applications in banking, mobile access, IoT, and proof-of-humanity scenarios.
Read our full interview with Martin Zizi, and Pierre Pozzi, Aerendir Mobile, Inc.:
Peter O’Neill, President, FindBiometrics: Aerendir’s NeuroPrint technology is a real paradigm shifting biometric solution. Can you describe NeuroPrint for our readers please?
Martin Zizi, Aerendir Mobile, Inc.: This biometric solution extracts a unique proprioceptive signature, called NeuroPrint, from micro-vibrational patterns in the user’s hands, using the accelerometers and the gyroscopes that are standard in today’s mobile devices. The solution can be used as a standalone authentication or to add new authentication and encryption functions to an existing schema.
To better understand our technology, we first need to visualize the brain as a full computer composed of millions of processing units that can function independently. That means because it is super, super parallel, you can have huge density and transfer of information between the brain and our body, whether it is the skin (sensory path) or the muscle (motor path).
The second thing the reader needs to understand is that the brain changes and modulates its many networks connections, those connections are ever changing in time because of what we call learning, that learning and adapting the brain networks is just going through life.
The third concept, which is easy to grasp is that the part of the cortex, the part of the brain that controls our motricity, is stable once we finish growing. If it was not stable we wouldn’t be able to function normally. How stable can it be? Think about losing a limb, it may take years before a patient loses the ‘presence’ of a phantom arm or leg following an amputation.
The fourth concept is the point-to-point mapping between the muscles in our bodies and the motor cortex. The brain has cartography of all our muscles. If it was not so, then the brain couldn’t help us function in a 3D environment either. We have an image of our body in our motor cortex, and this image – let’s call it a pixelated body view – is needed to be able to move in our external environment. How our body knows about its muscles is called proprioception. An example of proprioception is when you close your eyes you can still find your nose and your ears and your mouth because the brain has an image of this.
FindBiometrics: How do you apply proprioception to identify and authenticate?
Martin Zizi, Aerendir Mobile, Inc.: This point-to-point mapping or cartography of the hand has the highest resolution in our brain motor regions. The mapping (pixelated body view) of the hand represents one third of the information processed by the motor cortex. This is why the hand is so important because it is so well connected to the brain. The muscles in our hands are densely connected with our brain map. Those muscles in our hands shiver an average of 10 to 20 times a second, this shivering is nearly invisible and corresponds to individual muscle fibres controlling their length. It turns out the phone sensors are sensitive enough to measure those micro-vibrations in the hand.
It is important to make clear that our technology does not measure any motion or attitude of the hands or the arms, our technology simply senses those vibrations. This is not about playing tennis or holding a cup. Even if your hand doesn’t move, you still have these vibrations (which correspond to the quality control loops of our muscles). Because there are no two brains alike in all humans, this enables the phone to recognize essentially the wiring of each brain. It is akin to a brain scan from the palm of your hand. We get a physiological signal from the brain that can be used to authenticate any individual and, at the same time, this signal can also be used to pretty much encrypt anything.
FindBiometrics: It is a very fascinating technology, where did the concept for the NeuroPrint come from?
Martin Zizi, Aerendir Mobile, Inc.: It has been known for ages that the brain of each individual is different because of our learning and training. Proprioception has been studied for ages. I discovered that the sensors on the phone were extremely sensitive and could measure the shivering motion of your hand while holding the phone. Then I tested it and I could recognize my right from my left hand. And then I thought if I can recognize my right from my left hand, which have to be different, I can recognize any individual on this planet.
FindBiometrics: It is extremely innovative in that it isn’t a physical characteristic or a signature behavioral profile but a physiological trait. What are the unique benefits of physiological biometrics?
Martin Zizi, Aerendir Mobile, Inc.: It reflects us because if you look at a physical feature like a fingerprint, an iris scan, or whatever characteristics. These are static “pictures”, that we can store and protect. But what if we lose it? What if a database is breached, as they all are? Differently from passwords, for example, we cannot get new sets of fingerprints or different irises. Having your biometric data compromised is forever. The fact that our NeuroPrint technology doesn’t require databases is a great competitive advantage. Our NP solution fully protects the user’s personal data, no biometric or personal information is exchanged across the internet or between devices. All data remains on the phone at all times.
Peter O’Neill, President, FindBiometrics: What happens in case of a lost phone?
Martin Zizi, Aerendir Mobile, Inc.: The way that our system is implemented, a lost phone doesn’t represent any risk for the user. We won’t risk anything and that is important. What the technology measures is the shivering motion of your hand holding a specific phone, yours. It means that if you have another phone in your hand, this shivering motion will be slightly different as it is actually specific of the interaction of a device and your own neuromuscular system, which is also important. So, that means if you have the same technology on a tablet your profile will be different. Any device needs to learn the user on its own way.
So, let’s say your phone is stolen. It doesn’t matter, as all of your personal data can not be read because the hand holding the phone will not be yours, so it is fully protected. All you have to do is get a new phone, with a new serial number or SIM card number, train it, and that is it. So, essentially you have a binary system, a device and a hand working together to emit a signature.
FindBiometrics: NeuroPrint is described as a cloudless technology. Why is on-device authentication important for Aerendir’s solution?
Martin Zizi, Aerendir Mobile, Inc.: I have analysed many biometrics solutions and reached the conclusion that there are many good technologies available and being developed. Yet, none of them protects the privacy of the user and the consumer. I would like to point out that it is not “what we do” but “how we do it” that can protect the user and the consumer.
Let’s assume for the sake of argument that we have a perfect biometric with a 100 percent acceptance rate and 100 percent rejection rate. If I have a database on the cloud, you can breach a database, then millions of people can lose their identity. Think about all the breaches that the phone companies have had, that LinkedIn had. Think about Equifax. So, anything with a database decentralized on the cloud is an open door to catastrophe. The same is true when you transfer information to and from the cloud to generate a signature. We are in the era of big data, the transfer of information, even if it is encrypted, opens the door for the man-in-the-middle. Again, you have a risk there. So, when you want to implement something super safely you don’t want to have a database, you don’t want anything stored on the cloud, you want to have everything on the phone instead. I’m not the only one who thinks this. If you look at Samsung or Apple, both manufacturers tried to have security on their phone to avoid being stolen.
What we did differently at Aerendir is that we do real AI on the phone. Moreover, those phones do not need a GPU so we were able to bring the highest form of computation on a plain S5 smartphone. This type of device would be as powerful as a computer from five or six years ago, and it was a feat to be able to port the AI without needing the full force of the cloud computing. By doing that we were able to have a very effective biometrics that doesn’t require the cloud.
Now what do we exchange with the cloud then? At any given moment that the phone interacts with a server or with whatever service and the phone knows it is in the hand of its legitimate owner; and the device just says so, nothing more. We even don’t say who the owner is. For example, let’s say that a user was busy on a big online retailer website, and that this website knows your phone by its phone number, serial or SIM card number. The system will ask “Who are you?” and then the phone will answer “I am the phone with this number, and I am NOW (at this timestamp value) in the hands of my legitimate owner”. Whether it is Martin or Peter does not matter, what matters is who is the legitimate owner of the device. This enables us to make it very, very hard for a customer to lose his identity.
FindBiometrics: Pierre, when I think about your technology, the range of applications seem to be quite large. What do you see as the main vertical markets that your technology will be used in?
Pierre Pozzi, Chairman, Aerendir Mobile, Inc.: It can be used at any place across the web where you need to be identified, or you need to protect some personal information, or if you need to identify the user as a human to avoid bots. In all those cases the technology would apply. Now, you can not do everything at once, of course. We can think about mobile, and e-commerce; we can think about partnering with phone manufacturers, banking, IoT, securing autonomous cars. We are looking at the financial or the telecom industries to start because those essentially percolate throughout the systems. IoT is very interesting to us but at the end of the day you cannot do everything at once so you have to select what you can do in the shortest time to market possible. One important criterion is the cost to benefits ratio.
The financial world is certainly one of those that will require top technology for identification and authentication. As you may know we have two new legislations coming up in Europe which are very important, and are important for any company outside of Europe too. The first one is PSD2, which affects the banking customers and will require a top level of identification and authentication of the user/customer. PSD2 is essentially the portability of every bank account in the EU. The second one is GDPR, which implements the EU constitutional “Right to be forgotten”, or to be able to correct one’s personal information across the Internet. Both of them will be coming into effect in the next couple of months. GDPR will have a very serious effect on all the digital activities because it means the customer and all the digital identities will be back in the hands of the individual, and the individual will have the right to ask any provider of the services on internet to be able to recover and erase all personal data, even when such data would have been sold to any third party by the provider of the service. So, it is a major shift, which obviously means you have to have a very strong identification and authentication tool and the end users have to be put back in control. In a way, Aerendir is at the right time in the right place.
There is another problem, which is important and – as you know – with cyber-attacks, robots are being used more and more, hence one of the key elements in the coming years is to be able to make a clear distinction between robots/AI bots and humans. Most biometric technologies today are subject to hacking and spoofing at different degrees of course. One of the main advantages of our technology which is extremely strong is that it is based on a live signal. This is a huge difference between having a picture of your face in 3D or having a picture of your iris, and having a live signal. This difference is fundamental because it means behind the live signal there is a live person and not a bot or a picture that has been hacked. There are lots of videos on YouTube that show other biometric technologies being spoofed so we think there is an added difference there.
If you take, for example, FinTech – the way they try to identify the customer is a little bit backwards through the use of pictures and pictures of your ID etc., but you have to have the certainty of the individual and you have to make sure that behind the digital signature and behind any bank order, or transfer of money, or whatever it is that you are trying to execute, that you have the legitimate individual. This means that there is a true physical person, not a refined AI robot and not someone else who had access to your personal info. So, that is the game changer and we think that we have a very, very powerful tool there and that we are ahead of the game.
In terms of other verticals, we talked about smartphones. The same technology can apply to office building installations, to power plants, to factories and obviously digitization. So, we need to make sure whoever manages all the facilities, whoever enters them is the true living person behind it and, for this there you need a live signal.
The same technology that we are deploying has three main usages. First, we have a live signal that we can transform with deep learning into a useful signature for authentication. Then the same signature can be used as an encryption key because the signal generates a stable password of one million long characters. So, that gives a super encryption that is directly linked to your brain function. Thus, your brain can be used as a recognizable key without giving away your identity but also as key to encrypt all of your personal stuff.
The third feature is that it can recognize a human – as we just explained. It can recognize you from me, Peter, but also any human from any computer-generated signal. Let’s say we have an AI that knows everything there is to know about me and it tries to generate a fake brain signal, there is no way a computer can generate such fake brain signal unless it knows exactly the specifics of the neural networks in my own brain. So, we set the bar very high.
What is to prevent an AI bot to impersonate a person when it knows everything about you: your name, your birthdate, your social security number, your bank account number, the name of your children and even can show your fingerprint? The difference between AI bots and humans, we believe, will become crucial in the years to come. The only answer to that is to use a live signal from our brain and this is why physiological signals will become very relevant in the future.
FindBiometrics: Thank you Martin, thank you Pierre. I love your technology and I think the timing is very, very good for your entry into the marketplace. Thank you for taking the time to describe it for our readers today. I look forward to hearing more about your technology in the future.