At CES 2014, a start-up named Hoyos Labs is launching mobile apps for iOS and Android designed to eliminate the need for usernames and passwords on smartphones by combining three types of biometric security.

While each type of biometric technology has its merits, fingerprint recognition or facial recognition isn’t secure enough, in and of itself, contended Hector Hoyos, CEO, in an interview with Brighthand. Each of these technologies allows for spoofing.

Instead, the HoyosID platform brings together facial recognition with iris and pericocular recognition technologies. (In case you’re wondering, Merriam-Webster’s medical dictionary defines the periocular region as the area “surrounding the eyeball but within the orbit.”)

HoyosID also includes “liveness” detection, a layer of protection aimed at verifying that a “real person” is trying to log on to a system or complete a transaction.

The app will use the front-facing camera on the phone to capture the user’s biometric information. The security system is software-only, with no dongle required.

Due out at the end of this quarter, HoyosID is intended to work with any Web site, Hoyos said. The Hoyos apps will be able to sync between smartphones and PCs.

“When you go to Citibank on your phone, for example, this will wake up the app. After you’ve logged in from your phone, you’ll be able to access the site from a PC,” Hoyos said.

Will Use Middleware on Servers

As an added security measure, the platform will use a layer of middleware which will run on Hoyos servers. Encrypted private keys will be generated on the server, rather than on devices themselves.

Theoretically, it might be possible for perpetrators to steal a private key, Hoyos acknowledged. “But then, they’d have to steal everyone’s keys, not just your key,” he noted.

Hoyos ID will support Biometric Open Protocol Standards (BOPS), a company-created, “biometrics-agnostic” standard — first announced by Hoyos at CES 2013 — with rules governing secure communications between various devices and a trusted server.

The BOPS architecture enables a two-way Secure Slocket Layer (SSL) connection over the encryption mechanism to the server, which also employs an intrusion detection system (IDS).