Development and pilot validation of a next generation cybersecurity solution based on facial recognition to provide phishing-resistant Multi-Factor Authentication (MFA)

The world of online banking is under constant, highly advanced forms of attack by fraudsters and criminals. One of the most common forms of fraud is based on tricking customers into revealing their credentials and security details with deceitful use of fake websites, fraudulent calls, and scam emails.

To counter this threat, the banking industry is introducing a range of measures to ensure that they can confirm our identity with confidence. The role of single password authentication has passed, we are all aware of the current multi-factor authentication methods, like password linked to a security text message. The latest generation of digital devices also have facial recognition technologies (" biometric data") which are able to confirm our identity, however many of these technologies, such as those behind Apple's Face ID and Samsung Facial Recognition, store the biometric data on the device.

If the device is compromised, the biometric data is compromised too. Fraudsters are now attacking biometric authentication methods, in effect stealing our identities and replicating our facial appearance digitally.

To address this challenge, the applicant Keyless, is developing advanced new methods of allowing banks the convenience of facial recognition technology without needing to store biometric data. Keyless has patented the first biometric authentication technology that does not process or store biometric data anywhere - neither on the device, nor on a centralised cloud server (another form of storage used by many biometric technologies). This guarantees previously unheard of levels of security, privacy, and user experience.

The need for this new technology is extremely urgent. The UK and EU government have required financial technologies to increase transaction security through the PSD2 directive mentioned above. Recently, PSD3 has been introduced as there are flaws in the earlier directive's security requirements.

Keyless is currently researching and developing technologies that satisfy these regulatory requirements and has validated the need for their product through the acquisition of several key customers. However, before Keyless can be sold regulated financial institutions, they need to improve their current product and prove that their offering is compliant with the PSD2/PSD3 directives.

Keyless is applying for Innovate UK Loan support to conduct a crucial programme of software development work, internal testing and also applied security testing with banking sector clients. If they can complete this product research, development and validation the business can become profit-making by the end of 2025 and repay the Innovate UK loan by year 2030\.