Digital security is an increasingly complex issue that doesn’t lend itself to easy answers. That’s a big part of the reason that there has been something of a live debate in recent years over whether it’s better for end user authentication to be performed on an external server or on a user’s device. And while both approaches lend themselves to different circumstances, an advantage of the on-device approach is that it offers one very clear benefit: User data cannot be compromised via a server breach. With these kinds of data breaches regularly making headlines, it’s no wonder that the kinds of on-device authentication processes advocated by the FIDO Alliance are gaining a lot of traction, especially as the ascent of biometric security continues.
1. Face ID Turns Some Heads
This may be the most high-profile example of on-device biometric authentication. Apple made a huge splash when it unveiled Face ID last autumn: There was a ton of anticipation for a substantially different new iPhone model, and Apple’s infrared 3D facial scanning system turned out to be one of the new iPhone X’s flagship features. Part of the excitement was its use in creating 3D, animated emojis based on the user’s facial expressions; but its ease of use in authentication security – just look at your phone and it unlocks – also proved very popular, with Apple claiming that it was accurate to one in a million users.
Of course, Apple didn’t pioneer on-device authentication with Face ID. Its trailblazing Touch ID fingerprint scanning system also performed biometric authentication on a given user’s device, with no data transmitted to Apple’s servers. But by renewing mass market interest in biometric authentication on smartphones, Face ID is also carrying the torch for this kind of strong on-device authentication in the consumer sector. Of course, the iPhone X is at the top of the premium price spectrum and therefore has somewhat limited marketshare, despite all the media buzz. But with Apple reportedly planning to make it a standard feature on its forthcoming devices, it’s fair to expect Face ID to wind up in a lot more hands over the coming years.
2. The Key to PC Biometrics
While enthusiasm for biometric authentication is high in the mobile sector, the sensors needed to support it are still far more scarce on computer devices. To be sure, there are a few laptops and notebooks that feature built-in fingerprint sensors, but for the vast majority of PC and laptop users, fingerprint authentication just isn’t an option – or rather, not right out of the box. That’s where BIO-key’s USB authentication devices come into play. Available in three models – SideSwipe, EcoID, and SideTouch – they are compact devices designed to plug into a standard USB port on a computer, just like a memory stick. But with their embedded fingerprint sensors, they enable the same kind of biometric authentication available through many smartphones.
What’s more, the devices are all compatible with Windows Hello, the biometric security framework built into the Windows 10 operating system. That means any computer device running the Microsoft operating system can take advantage of BIO-key fingerprint authentication straight away. And with the entire biometric enrollment and matching process taking place on the user’s device, this offers a FIDO2 compliant authentication solution with no risk of being affected by cloud breaches or other hack attacks against servers. The devices are available from Microsoft’s retail stores and from its online shop.
3. Firefox and Friends
While the efforts of Microsoft and BIO-key to promote on-device biometric authentication on PCs and laptops continue to have a real impact, they can only operate together with the software and peripherals that support this kind of security. Meanwhile, much of the weakest kind of password authentication – perhaps most of it – occurs through the web, with users signing into various online accounts using the same vulnerable password. End user vigilance is of course an issue here, but the fact is that it’s really hard to remember all the complex passwords needed for authentication on the internet of today, and it’s hard to blame people for throwing up their hands and just sticking with one or two simple passwords that they aren’t likely to forget.
It’s a wonderful situation for hackers and fraudsters, but it’s soon going to change thanks to the new FIDO2 standards. A fundamental component of FIDO2 is WebAuthn, a standard API that lets developers build strong FIDO-based authentication directly into their websites, promoting end users to confirm their identities with a USB key such as Yubico’s YubiKeys, or with a biometric scan on a paired mobile device. Google and Microsoft are working to integrate WebAuthn into their own web browsers, and Mozilla has already enabled this functionality for Firefox. That means when an end user needs to sign into a given online account through the web, it’s just a matter of scanning a finger on their smartphone, or tapping a USB key plugged into their laptop. No more passwords – to use or to get hacked.
4. FIDO’s Many Allies
Firefox and its peers are only the latest indication of the growing reach of FIDO standards, but if you were to look for the frontline in the FIDO Alliance’s war on passwords, it would probably be in the financial services sector, which has broadly embraced emerging FinTech solutions to improve security as more and more financial business is done online. That’s why some of FIDO’s most prominent members are highly active in this area, offering cutting-edge FIDO-compliant solutions for digital banking, commerce, and more.
FIDO Alliance co-founder Nok Nok Labs is one such example. The company’s S3 Authentication Suite is being upgraded to support FIDO2, and in its current form it already supports a wide range of authentication factors including facial, fingerprint, and voice recognition; and the company offers a robust Software Development Kit that can help financial services organizations to implement strong mobile authentication – a critical area, given the rise of mobile banking and payments – using a single API. And, of course, the authentication data is all processed on the user’s device.
Aware, Inc., meanwhile, has a selfie-based authentication platform that relies heavily on FIDO standards, as suggested by its name – FIDO Suite. The solution is designed to enable user authentication via facial recognition, scanning for eye blinks and other signs of liveness from the end user; and the biometric data never leaves the app, ensuring that it’s kept safe and secure. Aware has been aiming the solution primarily at financial transaction applications, where reliable biometric authentication can not only replace passwords but improve security.
Carrying on with that theme, Daon helped to pioneer the current selfie-based authentication trend with its IdentityX platform, which found considerable market interest from the financial services sector soon after its launch. IdentityX doesn’t just rely on facial recognition, however; the mobile platform also supports fingerprint scanning, voice recognition, and even palm pattern recognition, among other authentication factors. Daon’s technology was also recently deployed to a major Hong Kong bank in collaboration with Digi-Sign, allowing its customers to replace password-based sign-in with biometric authentication. The deployment adhered to FIDO standards, again ensuring that customer data wouldn’t be stored in a potentially vulnerable external server.
These solutions collectively demonstrate the utility and the wide applicability of on-device authentication, particularly when it comes to biometrics. More than that, they indicate the enthusiasm for this approach. And as On-Device Authentication Month continues, stay tuned to FindBiometrics for news on more such solutions as they continue to proliferate.
May 17, 2018 – by Alex Perala