Going back to basics and trying to explain some of the core concepts and ideas on how to authenticate online users, I thought it would be good to take a look at biometric authentication. Why? Well according to a survey carried out by Visa, two thirds of Europeans would like to use biometric authentication for online payments / transactions. This is a significant number and really shows what the majority of online users want.
A term called multi-factor authentication means that in order to establish the identity of an online user, more than one factor must be used. A well-known second factor is an SMS code sent to a registered phone number of the user (often referred to as a one-time password). However, this widely spread method has been criticized and seen to be vulnerable and is now depreciated by companies such as NIST (National Institute of Standards and Technology). In generic terms, you have three categories of factors:
- Something you know (e.g. password)
- Something you have (e.g. a token, a phone, a smartcard)
- Something you are (e.g. fingerprint)
Biometrics fall under the “something you are” category. A fingerprint is the most common biometric factor thanks to the proliferation of fingerprint-enabled smartphones in the market. Other examples of biometric factors would be the face, retina (eye), heartbeat, voice, behavior, etc. Perhaps someday we’ll even have DNA as a factor in online authentication. I won’t go into the details of biometrics itself, but you can take a look at this article in FindBiometrics on ‘what are biometrics?’
Fingerprint Access to Your Online Bank?
Now that we know we can use a biometric factor to facilitate the authentication process, we can take a closer look how it would actually work in real life.
Your iPhone does not automatically grant you access to your bank account. Apple and the bank systems are completely separate. How do we bridge the gap and allow you to access your assets using your finger? The first thing to do is to put an identity provider like GlobalSign in place. The identity provider allows the bank to accept authentication methods other than their own one-time password generators that you have somewhere in the house.
Next, we need to download an app like MePin to your phone. After the app is downloaded and you fire up your browser and access your banking site, we’ll do something called ‘user driven federation’. This means that in the authentication phase, you would first authenticate with your banking credentials (I like to call it: 'the token that the dog ate') and then input something like your phone number. The bank’s identity provider will then send an authentication request to your smartphone app requesting your fingerprint. You push the circle on your iPhone then a response is sent back to the identity provider and voila, you can now use your fingerprint to authenticate to your bank instead of the token (that the dog ate).
But Is It Really Biometrics All the Way?
When you consider the flow described above, you get the impression that your fingerprint was the key to unlock the door of the website. But you’d be wrong. In the above scenario the fingerprint is replacing a PIN code. There’s a (PKI) private key within the app that is used to cryptographically sign the response message to the identity provider. This key can be protected by a PIN code, fingerprint or face recognition. This is the correct way to implement biometric authentication for online services. The biometric information does not leave the device.
Why Biometric Authentication Is Good
Consider the average user. They don’t know too much about security; they trust the bank to take care of it one way or another. What they care very much about is convenience and usability. We can all agree that complex passwords that need to be changed every 90 days is a nightmare. We can safely assume that one-time password tokens that generate 6-8 digit number sequences have a questionable convenient factor. If you don’t have a dog that eats these tokens, there’s most probably a small black hole in your house where all the tokens and other small gizmos disappear into, never to be seen again. At least there’s one in my apartment.
Biometrics that can utilize something that you hold in your hand dozens of times a day, either because of Pokémon or WhatsApp is a very handy device to use in authentication. The convenience factor is high; user acceptance and usability is also better than anything else in the market.
Why Biometric Authentication Is Bad
The most common criticism against biometrics is the fact that you can’t change it. This is true with small exceptions. If for some reason your biometric template of your thumb leaks out, you can always involve a sharp knife to distort it (kidding...). Additionally, there is something known as Cancelable Biometrics, which involves distorting the biometric features and mapping these onto a new template.
Another sore point is the privacy aspect. Some users may be reluctant to enroll into a biometric scheme as they perceive that ‘giving out’ their biometric information is very personal and an invasion of their privacy.
In information security nothing is ever 100% secure. Security researchers have proven that it is fairly easy to fool a biometric sensor. Naturally the vendors of biometric authentication solutions have improved their software to make it harder to, for example, use a static images of a face for facial recognition.
The best thing going for biometric authentication is the convenience. But I would advise to use biometrics to unlock something else (e.g. the PKI private key) that will be used for the authentication. In this way, if you happen to lose your device you can simply erase your phone and revoke the PKI key and you’re done. Relying solely on biometric authentication is kind of a Mission Impossible –type of situation. Tom Cruise can simply propel down the ventilation shaft and steal all your goodies.
We talk more about considerations before using biometric authentication in a previous blog post, check this out if you want to learn more.