The Smartphone fingerprint
With the evolution of remote working, the risk of cyber-attacks has increased. Cybersecurity has also become a business for startups. Toothpic, a spin-off project from the Polytechnic University of Turin, was founded with the goal of turning cell phones into a unique, unclonable key.
By Giovanni Iozzia – Forbes Italia
“People should be educated to mistrust”, says Giulio Coluccia, talking about the dangers of digital life where the biggest risk is that someone will impersonate us, without our knowledge, to steal money from our bank account or hack into the computer systems of the company we work for. To mitigate this, as they say in jargon, together with three colleagues from the Polytechnic University of Turin, he has built a company, Toothpic, that turns your smartphone into a unique and unclonable key.
“We all have a phone and it is now an extension of our body. It can be a dangerous tool in the hands of the unprepared, but it can also become the perfect password, as we have found a way to identify yourself through the unique fingerprint generated by the phone’s camera,” explains Coluccia, a 40-year-old telecommunications engineer with two kids and a passion for cycling, a former researcher turned entrepreneur. Toothpic is a spin-off of the Polytechnic University of Turin, a startup born from university research at the initiative of Coluccia with Enrico Magli, Diego Valsesia and Tiziano Bianchi. “We began undertaking the research in 2014 and had no idea where we were going to end up. In December 2016, we founded the startup, which remained a legal entity until its first funding, in 2018”. To date, nearly 1.2 million euros have been raised, and for this year they expect a new round of at least 2 million.
In the startup’s name we discover its origin; it stems from the phrase ‘Who took this picture’. “It was chosen for the university research project with which we wanted to prove it was possible to recognize, among large collections of photographs, those taken by the same smartphone”, Coluccia says. Without getting too technical, it means that the phone’s camera leaves a unique and unclonable fingerprint, and the challenge is to be able to recognize it. Toothpic works on the pixels and the moment they generate the images: each phone does it differently, with imperceptible differences that cannot be controlled even by the device manufacturer. “Our technology, unique in the world, allows us to detect these differences, deﬁning what is termed the fingerprint. At first, we thought of the forensic space: with our software, you could prove without any doubt that a photo was taken by a specific cell phone. But it was a niche market”.
Cybersecurity, on the other hand, is an increasingly broad and ‘hot’ field, especially after the pandemic and the diffusion of remote working. Attacks are on the rise, especially in Europe and Italy, according to data from a 2022 report by Clusit, Italy’s most authoritative organization on the subject, and smartphones are often the Trojan horse for hackers and digital criminals. Just by carelessly clicking on a link contained in a text message, you can find yourself in trouble or create serious problems for the company you work for. Now, we all have to juggle IDs, passwords, OTPs, fingerprints or facial recognition. To do a banking transaction, but also to log into a business system, we have become accustomed to two-factor authentication, so-called strong authentication, and to be recognized we have to enter a code received by text message, or created by us and stored in another place, or give approval through an app.
Digital life is starting to get complicated without ever being secure. Even two-factor authentication, which to this day is considered one of the most secure protection systems, was ‘hacked’ as early as 2021, although the claim only came in April when a hacker showed how he did it. The reasons are obvious as to why Toothpic changed its focus from photos to digital identity veriﬁcation through a multifactor system.
“The device we used to use for home banking was secure, because it was a disconnected ﬁxed object, but it was inconvenient because we had to carry it with us all the time, and it was also a cost to businesses”, Coluccia explains. “If your security keys are on a smartphone, they can always be stolen; even worse, without you realizing it. Because it’s like having an item stolen from you, but not physically. App-based systems also store a ‘secret’ on the device, which can always be stolen: these are strings of code that malware can detect and steal”.
What does Toothpic do differently? “We have international patents on a system that links that secret to the hardware of the device, particularly the camera. Then, it won’t be enough even to clone your phone, because every camera has a unique fingerprint. The risk doesn’t become zero, but we reduce it by a lot, because they will literally have to steal your phone, and you’ll obviously notice that”. A smartphone thus can become the safest and easiest access key for a company’s employees, after ID and password. The Piedmont Region and the Italian Post are trying out the technology. “We could also do it without passwords, but people still ask for them”, Coluccia says. “However, the solution is simple and inexpensive: just download a dedicated app, or, if the company already has one, integrate our software for authentication”.
Toohtpic is an example of what is known as technology transfer, the transition from university research to business. “My impulse to leave in academic field in 2018, was driven by my desire to grow a research project and make it into something else. Being an entrepreneur is a different job that I partly had to learn, and I continue to learn. After an intense phase of technology development, now it’s time for business development”, says Coluccia, who finds himself at a decisive moment in the venture.
For Toothpic, this will be the year of real market entry after the first revenues in 2021: new investment, team growth (currently about ten people), more marketing. And the original idea with photos will also come in handy: “There is not only a need for a secure digital key, but also to prevent fraud, for example when we do online banking. Banks already monitor our behavior but are having more and more trouble detecting devices with the new privacy rules. Instead, we are able to tell if the phone used to connect is really the customer’s”.
You can find the original article here.