Vendor Assessment: Keyless
How To Kill The Password
A Buyer’s Guide To Passwordless Authentication Technology
Last Updated: 11 October 2021
Document Id: tch-vendor-assess-keyless
Company Key Facts
 | Web – https://keyless.io/ LinkedIn – https://www.linkedin.com/company/keylesstech/ Twitter – https://twitter.com/KeylessTech YouTube – https://www.youtube.com/channel/UCZ7F3wk4XJ6ICnH2xUSSRmw |
| Founded Date | January 2019 |
| Founders | Andrea Carmignani, Fabian Eberle, Paolo Gasti |
| No. of Employees | ~ 50 |
| Total Funding | $9.5 million |
| Locations | London (HQ), Rome, Singapore |
| In Their Own Words | Next-gen privacy-preserving biometrics – Nothing to remember. Nothing to steal. You are the key.Protect your workforce and consumers with passwordless MFA and realize your journey to zero trust. At Keyless we are driven by one vision: to create a world where anyone can seamlessly access any digital service from any device, at any time, while keeping personal credentials safe, private and under control. Where the only key is you. A world that is Keyless. We are a deep-tech cybersecurity company, founded by leading cybersecurity experts and experienced entrepreneurs, pioneering innovative solutions to enable organizations to seamlessly authenticate their users without having to store sensitive information. |
Funding
Funders: P101, gCC (gumi Cryptos Capital), Fabio Mondini de Focatiis
Total funding: $9.5 million
| Announced Date | Transaction Name | Number of Investors | Money Raised | Lead Investors |
| Apr 13, 2021 | Seed Round – Keyless | 4 | $3.3M | P101 |
| Jun 15, 2020 | Seed Round – Keyless | 4 | $3.7M | P101 |
| Apr 28, 2020 | Seed Round – Keyless | — | — | — |
| Jun 30, 2019 | Pre Seed Round – Keyless | 6 | $2.2M | gumi Cryptos Capital (gCC) |
| Jan 15, 2019 | Pre Seed Round – Keyless | 3 | $300K | Fabio Mondini de Focatiis |
Source: Crunchbase
Customer Case Studies
| Customer | Region / Sector | Details |
| LUISS University | Italy / Education | In response to the Covid-19 lockdowns, the university partnered with Keyless and Cisco to help students sit exams remotely. Impact: 10,000 students / 1500 authentications per day / 10 days to go live / 2200 virtual exams / Enhances login experience / Reduced admin costs / PII not stored. Further details. |
| Unnamed Bank | Europe / Finance | A European digital bank encountered rapid high usage of their VPN solution during the Covid-19 pandemic. 1000 employees required a secure passwordless MFA solution to augment their existing VPN capability, in order to service approximately 1 million customers. Impact: 2 hour integration to existing Microsoft infrastructure Further details. |
Technology Key Facts
| Go To Market Message | Access Anywhere. Any time. Any device.Enhance customer and employee experiences and protect their privacy through passwordless multi-factor authentication that eliminates fraud, phishing and credential reuse. |
| Solutions | Consumer: Strong Customer AuthenticationWorkforce: Passwordless MFA / Zero Trust Authentication |
| Products / Platform | Zero Knowledge Biometrics (ZKB) platform / Multi Party Computation Key Management / Distributed Private Computation |
| Useful Links | Who We Are DatasheetGetting Started With ZKBKeyless Technology OverviewDetailed WhitepaperConsumer Authentication Data SheetWorkforce Authentication Data Sheet |
Technology Review
Keyless are pioneers in the field of Zero Knowledge Biometrics (ZKB) leveraging multi-party computation and distributed computing. They are a multinational European headquartered organisation that has seen notable support from the likes of Gartner (2020 Hype Cycle for biometric authentication) and Enterprise Security (2019 Best Emerging MFA Provider). They aim to tackle passwordless authentication through the use of proprietary biometrics that overcomes many of the issues associated with native device originating biometry – such as local biometric template storage.
The storage and distribution of the biometric template data is what is seemingly making Keyless unique. They are tackling the two main markets – like most authentication providers – of consumer identity and workforce identity. Their main narrative and talk track is focused upon the security angle – that not only are passwords a poor security option for user authentication, but also the centralisation of key management for many multi factor offerings, is also a major vulnerability. They refer to the concept of having “nothing to remember, nothing to steal…you are the key”.
Whilst they list numerous different sectors their technology could be applied to, financial services and the emergence of compliance initiatives such as the GDPR and PSD2 is driving a need, not only for improved security via Secure Customer Authentication, but also an improved position when it comes to privacy preservation of identity and biometric data.
Platform Overview
Keyless have combined several different technologies to create a novel approach to both biometric passwordless authentication and how the subsequent biometric templates and private keys are stored and retrieved.
Biometrics
They firstly leverage photo biometric technology to take a picture of the face of an individual in possession of the mobile phone. The mobile device is running an app (built using the Keyless SDK) that can communicate to the Keyless backend APIs and protocols.
The picture has the necessary liveness checks applied to it in order to remove the risk of replay attacks using pictures or videos. The biometric template however, is stored differently to many other vendors. The template is split and stored on the Keyless network in multiple different pieces – with each piece encrypted using a key known only to the device.
The idea behind the template splitting is to create a decentralized storage management system. In a decentralized model, no one single database or repository (including the device) holds the entire biometric template – providing a much stronger counter measure for adversarial attack. The current supported biometric modal is pictorial – namely of the face – with other biometrics on the roadmap.
The picture capturing aspect is not limited to the use of mobile devices however. The use of workstation based cameras is possible. It is worth understanding whether the ability for the laptop camera to be accessed directly from a tamper proof storage mechanism on the laptop is possible. Some laptop hardware may leverage a user world based application for this.
sMPC
The biometric template (the digital representation of the data that maps to the person’s face) is stored in multiple different parts on different Keyless servers – or nodes. Each node is only in possession of its own share and cannot recompute the entire biometric template on its own. When it comes to authentication time – a new template is created by taking a picture on the mobile device. Using a concept known as secure multiparty computation, a function is run against the existing distributed nodes to compare the newly captured template with distributed shares. If a match occurs, the user can be authenticated successfully.
Source: Keyless https://docsend.com/view/qmr2cv9
The benefit of using an sMPC approach, is that the stored template is not located in one place. No one node can be hacked to reveal the entire template. Each share is also encrypted, preventing even the Keyless nodes from understanding anything regarding the end user – ensuring privacy preservation. Keyless are describing this as “FaceID in the cloud”.
Recovery
An interesting bi-product of leveraging a distributed approach to biometric storage, is the classic case of a lost device – or perhaps more commonly the migration to a new device. In the case of a distributed model, the biometric template is never stored in its entirety on the device, making recovery and delegation simpler. As such a supported common use case is being simultaneously active on multiple devices.
Deployment
The Keyless nodes can seemingly be run in several different ways – by Keyless directly in a cloud model and by the enterprise themselves in devops/private cloud infrastructures. This provides a range of coverage options that can meet different compliance requirements or security policies.
API + SDK
Access to Keyless functionality is via a REST/JSON based API, which can be used to instantiate the authentication process and abstain authentication results. An SDK is also available to accelerate adoption and integration. The SDK is written in C++ and provides bindings for Swift, React Native and Java for integration with iOS/MacOS, Android and Windows applications.
Enterprise
From a use case perspective, enterprise applications focused on workforce authentication and single sign on are a concept of which Keyless supports.
They provide out of the box integration for identity providers such as ForgeRock, Okta and Ping Identity.
API based integration allows a modular decoupling between the identity and access management (IAM) provider (and protector of downstream systems) and the biometric authentication model provided by Keyless. Here authentication is often started by the end user attempting to gain access to an application integrated into the IAM platform. At this point Keyless can be contacted via an API to trigger a push notification to the user’s mobile device. At this point the biometric authentication event takes place and Keyless can return the authentication response back to the IAM platform, so that the user can continue on their journey – likely with single sign on (SSO) enabled for multiple applications.
Consumer
As digital transformation increases across nearly all sectors, external identity authentication for consumers, customers and citizens is now common. Existing IAM platforms often cannot cope with the scale, security, privacy and usability requirements for external identity.
Keyless provides improved security and privacy as well as enhanced user experience for consumer authentication.
Sample Technology Integration Coverage
Single Sign On Identity Providers:
| Microsoft ADFS |
| Microsoft Azure AD B2C |
| Okta |
| ForgeRock |
| Ping Identity |
| Auth0 |
| onelogin |
| IBM Security |
| Keycloak |
Enterprise Standards:
| SAML |
| OpenID Connect |
| RADIUS |
VPN:
| Cisco |
| Palo Alto |
| CheckPoint |
| Fortinet |
| VMWare Horizon View |
SDK:
| Android |
| iOS/MacOS |
| Windows |
The Cyber Hut Comment
Keyless is pioneering a novel approach to passwordless authentication. The interesting aspect is the longer term platform of capabilities they are developing and how that can impact the broader identity ecosystem.
The use of biometrics is not new, but enhancing that approach via a distributed storage and computation model enhances security. The focus on decentralization with encrypted components seems a nod to the direction where privacy enablement will become a strategic initiative for many organisations who want to go above and beyond basic compliance for the likes of GDPR.
An API and SDK approach is now standard and Keyless embraces that. It will be interesting to see what Keyless looks to enable beyond the authentication event – such as decentralization of identity verification, transaction signing and portable identity.
Strengths
- Pioneers in the novel field of Zero Knowledge Biometrics
- Storage of key material leverages a distributed model
- Pictorial biometric authentication with liveness check
- Leverages a secure multi-party-computation (SMPC) model where components of the biometric template are split and stored separately – removing a single attack point
- Consumer SDK/API approach to embedding security for the likes of PSD2 and SCA
- Key recovery and migration is an inbuilt bi-product of distributed key storage model
- Strong compliance support for the likes of GDPR/CCPA/PSD2
Methodology
The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship. We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.
1 – OSINT
The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points.
We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.
This process takes between 2 and 4 weeks to complete and uses sources such as the following:
- Crunchbase / Glassdoor
- YouTube / Twitter / LinkedIn
- Vendor Website
- Vendor Webinars & Events
- Vendor Whitepapers & Datasheets
- Vendor Case Studies
- Patent Search
- Blogs
- Documentation & Release Notes
- APIs and SDKs
- Downloads and Trials
2 – Vendor Briefings
After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.
The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer. This process typically results in some further more technical questions that can be easily answered via email and existing documentation.
At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.
This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages. Existing public case studies will also be analysed.
3 – Vendor Fact Check
Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented. The vendor typically responds within 14 days with any corrections and edits.
4 – Vendor Assessment Completion
After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.
At this stage, the document can be made available to buy side practitioners as a standalone artifact. This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.
Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.
Methodology Benefits
The benefits to this approach are twofold: firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates. The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.
The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.
Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.
The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.
Vendor Assessments are typically re-evaluated every 12 months.
About The Author
Simon Moffatt is Founder and Analyst at The Cyber Hut. Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF. He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry.
Education
B.Sc (hons) Economics (York, 2001)
M.Sc Information Security (Royal Holloway, University of London, 2022)
Professional Memberships
MBCS – Member of the British Computer Society
F.CIIS – Fellow of the Chartered Institute of Information Security
Professional Qualifications
CISSP (Certified Information Systems Security Professional) – 2007 to present
CCSP (Certified Cloud Security Professional) – 2020 to present
CEH (Certified Ethical Hacker) – 2018 to present
CISA (Certified Information Systems Auditor) – 2010 to 2014
Research Interests
Distributed Authorization; Cyber Strategy; Security Economics; Identity Counter Measures; Nation State Cyber Strategy
Disclaimer
© 2021 TCH Research Ltd. All rights reserved. The Cyber Hut is a trading name of TCH Research Ltd.
This publication may not be reproduced or distributed in any form without The Cyber Hut’s prior written permission. It consists of the opinions of The Cyber Hut’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, The Cyber Hut disclaims all warranties as to the accuracy, completeness or adequacy of such information.
The Cyber Hut does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by The Cyber Hut’s Usage Policy.
The Cyber Hut prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party.