Student develops fingerprint-based authentication app

March 3, 2016
Nicholas Boucher, A.B. '19 (computer science), and a team of international students, developed a mobile app that seeks to enhance cybersecurity. Credit: Eliza Grinnell/SEAS Communications

Having trouble remembering all your online passwords? You're not alone. A recent study by identity management firm Centrify found that the average person has at least 19 online passwords, and that 25 percent of users forget at least one login detail each day.

With an eye toward improving cybersecurity, a Harvard John A. Paulson School of Engineering and Applied Sciences student developed a mobile app-based authentication system that enables users to log in to websites using a characteristic that is impossible to forget: their fingerprint.

Nicholas Boucher, A.B. '19, a computer science concentrator, and three teammates recently won the Cambridge University Hack-a-thon Cybersecurity Challenge for their app, ClearPass. "Hack Cambridge," the university's annual 24-hour coding marathon, was sponsored by British cybersecurity firm Thales.

"We thought that the concept of logging in with a username and password is pretty antiquated," Boucher said. "As a civilization, we ought to be able to move beyond that by now."

ClearPass exploits the biometric sensors on most smart phones to generate a unique user profile that an individual utilizes to log in to websites. A user scans his or her fingerprint, which the app uses to generate a secure QR code. Users hold the code in front of a computer's web cam to log in to a ClearPass-enabled website. Webmasters can enable ClearPass authentication by inserting into their sites just two lines of code, Boucher explained.

The app ensures security because no are stored on the ClearPass server. Rather, ClearPass uses a hashing algorithm that scrambles and encodes fingerprint data. As an additional security feature, each QR code is only available for five minutes. As soon as it is used, the security token in the code is obliterated, making it useless for future login attempts.

"What makes ClearPass unique is that creating a username is optional," Boucher said. "It allows you to authenticate that you are who you say you are, all while maintaining full anonymity online."

Full anonymity could be especially useful when incorporated into a system like Bitcoin or certain banking and financial sites, Boucher said. And because the app works offline and is neither device- nor platform-specific, it could benefit a very broad user base.

For Boucher, one of the most exciting things about ClearPass is the potential to configure the system for any type of biometric data, such as facial mapping or vocal fingerprinting. ClearPass could even verify individuals using the heart rate sensor on a smart phone, effectively locking a user out of a site if he or she had an elevated pulse. If enabled, that feature could prevent a user from accessing a banking site if he or she were being forced to log in at gunpoint, Boucher said.

While heart rate scanning was one feature Boucher and his teammates weren't able to complete during the 24-hour Hack-a-Thon, he is looking forward to making further enhancements to the .

"I think there could be some real uses for this," he said. "When you look at the broader possibilities of using biometric security for logging into everything from bank accounts, to ATMs, to Facebook, to email, with one swipe of a finger without changing any of your technology, the stakes become higher."

Explore further: Can't remember your password? Here are two new ways to log in

Related Stories

Tech Tips: Stay safe by reducing reliance on passwords

June 17, 2015

Mix upper and lower case letters in your password? Substitute the numeral 1 for the letter l? Throw in an exclamation point and other special characters? Who can remember all that for dozens of websites and services?

Comfort is important in identification

December 10, 2015

VTT Technical Research Centre of Finland has conducted a study about user attitudes to different personal identification methods. The most popular identification methods were internet banking access codes and passwords. The ...

Protecting data assets with two-factor authentication

February 3, 2016

To better protect the Institute's data – including employee data – from future cyber risks, the Office of Information Technology (OIT) will begin deploying two-factor authentication to early adopters across campus in ...

Recommended for you

Where can I buy a chair like that? This app will tell you

August 23, 2016

If you think you have a knack for interior design, or just want to spruce up your own home, new technology developed by Cornell researchers may help you choose furnishings the way professionals do. And professionals may find ...

Sponge creates steam using ambient sunlight

August 22, 2016

How do you boil water? Eschewing the traditional kettle and flame, MIT engineers have invented a bubble-wrapped, sponge-like device that soaks up natural sunlight and heats water to boiling temperatures, generating steam ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.