Written by Matthew Hine, CPO, RDX Works Ltd.
At RadFi, we showed off a vision of a Radix Wallet that can finally make Web3 mainstream-accessible by using the unique features of the Radix Network. One of the highlight benefits is using smart accounts to do away with having to write down a complicated seed phrase to keep your accounts safe. Since then, we’ve gotten lots of questions about how we’re getting rid of the required seed phrase, and one common theme has been about biometrics:
“Is Radix replacing seed phrases with biometrics?”
“Can the Radix Wallet provide ‘proof of human’ to dApps using biometrics?”
The all-new version of the Radix Wallet coming for Babylon does use biometrics, but it’s important to understand what biometrics can and can’t do. Let’s break it down.
How does biometric authentication work with the Radix Wallet?
The basic answer here is that the Radix Wallet uses biometric authentication – whether face or fingerprint identification – to ensure that only you can sign transactions that deal with your accounts and assets. In the default configuration, every time your wallet needs to sign a transaction, you’ll see a quick biometrics check happen, and it’s done!
But how does that work?
A “signature” requires a private key, and so it’s easy to assume that the phone is using the scan of your face or fingerprint to generate a private key. We might imagine that “signing” means grabbing that face/fingerprint scan again to get the private key that we need to sign, right?
Unfortunately, that’s not how biometrics works. It's actually a comparison process. During setup, your phone captures a cloud of datapoints from your face/fingerprint as a reference. Whenever you attempt to authenticate (like when unlocking your phone), the phone captures another cloud of datapoints and compares it against the reference one it has. If the two are "close enough", the authentication passes.
Crucially, you will never get precisely the same cloud every time. Even government-grade biometrics systems can only compare a person's cloud against a database of known clouds and try to see if there is a "close enough" match to something in the database. It can’t ever say “oh, this is a new person I haven’t seen before - let me add them to the database!”
The result of this limitation is that you can’t use a face or a fingerprint to generate a unique private key. If you tried, you would always get a slightly different result, meaning a completely different private key - useless for cryptographic operations. Many companies over many years have attempted and failed to have a biometric produce exactly the same unique result every time, and all have failed.
So when the “close enough” comparison is done on your phone, it’s actually just convincing a piece of secure hardware that you are the single user in its database. Typically a backup PIN is also set that can also convince your phone that you are that user. Once convinced, your phone then allows use of a private key that it has generated itself (randomly) within that secure hardware. The Radix Wallet can use that key to securely protect private keys for multiple accounts, and signatures on transactions involving those accounts.
Note: To get technical, the biometrics protect the ability to unencrypt a key store that holds a mnemonic seed phrase that is used as the source of entropy to generate a hierarchical deterministic root from which we can derive multiple key pairs for multiple accounts and personas, without creating an on-ledger association between those different accounts and personas.
In the end, it is the combination of your phone and your face/finger/PIN that can produce that signature – not the biometrics (or PIN) alone. It’s very similar to how, with a hardware wallet, it’s the combination of the hardware wallet device and your PIN that lets you produce a signature with it.
This is a great mechanism to control crypto accounts without backing up a seed phrase, but it is tied to the phone. If you lose the phone, you lose access to those private keys. For most blockchain networks this means that using biometrics to protect accounts is a non-starter. On these networks, a single private key always controls an account forever, so unless the user is forced to back up the private key in some way the risk of losing the phone is deadly.
However, using Radix’s smart account system, if a phone is lost, the on-ledger multifactor recovery system means you can simply update your account (using additional ways of proving your identity other than your phone’s biometrics) to use a new private key for signing account transactions and you’re back in business. Using phone biometrics to protect signing keys is an absolutely ideal match for the Radix smart contract system (although you can always choose other signing options for your accounts in the Radix Wallet if you prefer).
Can we use biometrics as “proof of human” for dApps?
In short - no. This isn’t a limit of the Radix Wallet, but the inherent limits of biometric authentication that we’ve discussed.
Lots of dApps want a way of verifying that a given user is actually a unique human. From airdrops to DAOs to DeFi, it’s incredibly useful to know that 1 person isn’t masquerading as 1000. Another term for this is “Sybil attack prevention”.
It would be amazing to use biometrics to prove uniqueness on a decentralized network, but it’s simply not possible. We’ve already seen how a biometric check can’t produce a single private key – it can’t say “this is a new person I haven’t seen before!”. And even if it could, it still wouldn’t be a solution. There would be no way for the network, or a smart contract running on it, to tell that a given private key was generated by a certain biometric check instead of artificially created by an attacker.
What we need for “proof of human” is a way of knowing that a given human can only have exactly one of something that lives on the network that represents that unique individual. They can never create more.
And unfortunately the only way we know of to do this reliably is for there to be a trusted authority that is able to verify a given human in some appropriate way (whether checking a government ID, using a phone number, running a KYC process, etc.) and issue that singular “something” that represents them.
Fortunately, Radix makes it very easy for such an authority to create that “something” - with badges! The badge-issuing authority can do their checks on the human and verify that the human owns a given account. A unique badge asset can then be created, sent to that users’ account, and in most cases configured to be non-transferable (or “soulbound” if you prefer).
Now whenever that human uses a dApp, a smart contract can check for a badge that represents a form of unique identity that suits its needs from an authority that they trust. In fact, Radix makes “presenting” of badges for this purpose easy for the dApp developer and clear to the user in their Radix Wallet.
This opens up some fantastic opportunities for easy-to-use and powerful identification systems on Radix – but those systems will still require some sort of verifying off-ledger entity, whether the dApp creator themselves or a third party they work with.
Reputation or “social proof” systems may provide us with another interesting mechanism of identifying individuals in a decentralized way – but unfortunately, biometrics is very unlikely to be the way forward, as tantalizing as it may seem.