Student develops fingerprint-based authentication app

March 3, 2016, Harvard University
Nicholas Boucher, A.B. '19 (computer science), and a team of international students, developed a mobile app that seeks to enhance cybersecurity. Credit: Eliza Grinnell/SEAS Communications

Having trouble remembering all your online passwords? You're not alone. A recent study by identity management firm Centrify found that the average person has at least 19 online passwords, and that 25 percent of users forget at least one login detail each day.

With an eye toward improving cybersecurity, a Harvard John A. Paulson School of Engineering and Applied Sciences student developed a mobile app-based authentication system that enables users to log in to websites using a characteristic that is impossible to forget: their fingerprint.

Nicholas Boucher, A.B. '19, a computer science concentrator, and three teammates recently won the Cambridge University Hack-a-thon Cybersecurity Challenge for their app, ClearPass. "Hack Cambridge," the university's annual 24-hour coding marathon, was sponsored by British cybersecurity firm Thales.

"We thought that the concept of logging in with a username and password is pretty antiquated," Boucher said. "As a civilization, we ought to be able to move beyond that by now."

ClearPass exploits the biometric sensors on most smart phones to generate a unique user profile that an individual utilizes to log in to websites. A user scans his or her fingerprint, which the app uses to generate a secure QR code. Users hold the code in front of a computer's web cam to log in to a ClearPass-enabled website. Webmasters can enable ClearPass authentication by inserting into their sites just two lines of code, Boucher explained.

The app ensures security because no are stored on the ClearPass server. Rather, ClearPass uses a hashing algorithm that scrambles and encodes fingerprint data. As an additional security feature, each QR code is only available for five minutes. As soon as it is used, the security token in the code is obliterated, making it useless for future login attempts.

"What makes ClearPass unique is that creating a username is optional," Boucher said. "It allows you to authenticate that you are who you say you are, all while maintaining full anonymity online."

Full anonymity could be especially useful when incorporated into a system like Bitcoin or certain banking and financial sites, Boucher said. And because the app works offline and is neither device- nor platform-specific, it could benefit a very broad user base.

For Boucher, one of the most exciting things about ClearPass is the potential to configure the system for any type of biometric data, such as facial mapping or vocal fingerprinting. ClearPass could even verify individuals using the heart rate sensor on a smart phone, effectively locking a user out of a site if he or she had an elevated pulse. If enabled, that feature could prevent a user from accessing a banking site if he or she were being forced to log in at gunpoint, Boucher said.

While heart rate scanning was one feature Boucher and his teammates weren't able to complete during the 24-hour Hack-a-Thon, he is looking forward to making further enhancements to the .

"I think there could be some real uses for this," he said. "When you look at the broader possibilities of using biometric security for logging into everything from bank accounts, to ATMs, to Facebook, to email, with one swipe of a finger without changing any of your technology, the stakes become higher."

Explore further: Protecting data assets with two-factor authentication

Related Stories

Protecting data assets with two-factor authentication

February 3, 2016

To better protect the Institute's data – including employee data – from future cyber risks, the Office of Information Technology (OIT) will begin deploying two-factor authentication to early adopters across campus in ...

Comfort is important in identification

December 10, 2015

VTT Technical Research Centre of Finland has conducted a study about user attitudes to different personal identification methods. The most popular identification methods were internet banking access codes and passwords. The ...

Tech Tips: Stay safe by reducing reliance on passwords

June 17, 2015

Mix upper and lower case letters in your password? Substitute the numeral 1 for the letter l? Throw in an exclamation point and other special characters? Who can remember all that for dozens of websites and services?

Recommended for you

Engineering cellular function without living cells

March 25, 2019

Genes in living cells are activated – or not – by proteins called transcription factors. The mechanisms by which these proteins activate certain genes and deactivate others play a fundamental role in many biological processes. ...

What ionized the universe?

March 25, 2019

The sparsely distributed hot gas that exists in the space between galaxies, the intergalactic medium, is ionized. The question is, how? Astronomers know that once the early universe expanded and cooled enough, hydrogen (its ...

Catalyst advance removes pollutants at low temperatures

March 25, 2019

Researchers at Washington State University, University of New Mexico, Eindhoven University of Technology, and Pacific Northwest National Laboratory have developed a catalyst that can both withstand high temperatures and convert ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.