ToothPic: the smartphone camera becomes a security device

Please wait in 10sec ...

ToothPic’s technology allows you to turn your smartphone into a unique access key for online authentication, eliminating the need for passwords, tools or external devices

ToothPic is an innovative startup, spin-off of the Politecnico di Torino founded in 2016 by four researchers and professors of the Department of Electronics and Telecommunications. The ideas behind ToothPic are born during university public research activities focused on research and the study of innovative techniques related to the compression of multimedia data. Together with the Polytechnic of Turin, two rounds of investments worth a total of 1.1M were undertaken between 2018 and 2020.

In the same year, ToothPic obtained the FIDO International Certification from the FIDO Alliance and the Best Paper Award from the IEEE Computer Society for the article published in the scientific journal IEEE Multimedia entitled “ToothPic: Camera-Based Image Retrieval on Large Scales”.

A very original technology

ToothPic has developed an MFA technology that allows the smartphone to become a unique access key for online authentication, eliminating the need for passwords, tools or external devices. The starting assumption is that each camera of a smartphone leaves its own hidden and involuntary signature, a sort of invisible pattern of imperfections that uniquely characterizes the photographic sensor.

Toothpic’s technology allows you to identify these camera defects and turn them into a real unique fingerprint. This is a feature that cannot be controlled by the manufacturer and, being linked to the unpredictable physical properties of the sensor’s silicon wafer, it is practically impossible to produce two smartphones with the same fingerprint as the camera: in fact, it cannot be cloned.

When a user accesses their account (for example the bank account) or finalizes a payment via smartphone, the system thanks to ToothPic automatically acquires images with the camera and verifies the fingerprint of the sensor, which is in turn used to obtain a private cryptographic key. In this way the real possession of the smartphone by the user is verified and the login or payment is quickly carried out. In addition, secret data that identifies the user is never stored on the smartphone.

ToothPic’s solution is built on a double-key system that does not require sophisticated equipment or additional devices, promising security and simplicity: it does not change the user’s habits, the whole procedure is completely automatic and does not impose new tools, devices to take with you or further investments in hardware by the companies that will implement it.

Finally, the startup has developed an SDK (Software Development Kit) for Android and iOS, compatible with the latest authentication protocols and standards, to be integrated into third-party authentication applications and systems to identify the device through deoboffuscation of asymmetric cryptographic keys.

The credentials of individual users are not stored centrally on corporate servers, but are decentralized on users’ devices, making the system less vulnerable to external attacks and making it easier for client companies to migrate from an on-premises model to a cloud model. The system now complies with the latest EU standards and regulatory requirements: PSD2, FIDO2, FIDO U2F and WebAuthn.

Current and future applications

The pandemic has led more and more people to work remotely and use online services more and more frequently, increasing the risk of fraud or targeted cyber attacks. Often, the access methods that are provided by organizations to access their digital services, such as passwords, codes, SMS, tokens, are insecure and cumbersome for the user. These problems have increasingly oriented the adoption of passwordless technologies.

A response to these needs is toothpic’s technology, which has developed a business strategy oriented towards a horizontal approach, reaching markets such as banking, insurance, business, industrial up to public administration, health and defense. By implementing ToothPic in the Home Banking service, customers would be facilitated in the authentication process benefiting from greater security of monetary transactions, thanks to the ability to recognize the device from which the payment was made. The technological performance of ToothPic is also useful for the Corporate area to guarantee all employees a secure online authentication and a high protection of sensitive data through the sole use of the smartphone, avoiding the use of passwords and codes that are easy to intercept.

The application cases in which the technology can be used expand to the digital signature to authenticate documents without making use of hardware tokens, and to the insurance field to shorten the time related to the communication and resolution of claims.

The development of various pilot projects and partnerships carried out this year, have given ToothPic the opportunity to look to the future with a view to international expansion, establishing new contacts and business opportunities also in various European countries and