‘On-device biometrics’ is probably one of the most important concepts in today’s digital security landscape, yet it’s also an idea that is not widely understood by everyday users. It refers to a question that a lot of people don’t even think of – where does my biometric data go when it’s scanned?
It’s a crucial question. Any data transmitted to external servers – often referred to as “the cloud” today – is vulnerable to hack attacks against those servers, while data stored on a given device is only vulnerable to hack attacks against that specific device. That’s why the on-device approach is so popular among many security professionals, even if it isn’t the most appropriate security setup for every situation.
The Mobile Biometrics Revolution
The on-device movement started to gain prominence in tandem with the mobile biometrics boom launched by Apple in 2013. That’s when Apple introduced its Touch ID fingerprint scanning system, in the iPhone 5S. It was the first big-name biometric authentication system on a smartphone, and would establish a great many copycats as fingerprint authentication went mainstream in the ensuing years. And Apple set the table by storing the user’s fingerprint data on the iPhone, with this approach, too, emulated by many rivals. Indeed, even when competitors have tried to pioneer new approaches to mobile authentication, such as Samsung with its recent smartphones’ iris scanning technology, they’ve tended to stick to keeping user data on-device.
And Apple has maintained this approach with Face ID, its big new face-scanning authentication system. It’s still done on-device. There is no external server storing users’ facial biometrics data – not the images themselves, nor any cryptographic hashes of the data. It’s all stored on the device, helping to ensure that it can’t be hacked remotely and speeding up the authentication process by eschewing the practice of transmitting biometric data for server-based matching. In the big picture, this means spoof attacks against Face ID, though possible, are not scalable; each attempt to impersonate a user for wrongful access requires that specific users’ iPhone.
A Game-Changing Alliance
All that having been said, even if it helped to shift things into a high gear, Apple certainly didn’t invent the on-device movement. IT security experts had long determined that this is a strong approach to authentication, and one of the biggest advocates for on-device authentication – and strong, post-password security processes in general – was formed about a half a year before Apple first unveiled Touch ID:. In February of 2013, Nok Nok Labs, Validity Sensors, Infineon, Lenovo, PayPal, and Agnitio officially announced the launch of the FIDO Alliance, a cross-industry conglomerate with mandate to develop and promote standards for strong authentication. Other big names like Google, NXP, and Yubico were soon to follow, joining the Alliance a couple of months later.
From the outset, FIDO’s standards took an on-device approach to authentication, in the form of specifications like FIDO UAF and FIDO U2F, both of which launched in December of 2014. Things escalated quickly from there. With mobile-based commerce starting to take off, major financial services providers like ING and USAA started to join the FIDO Board of Directors. In late 2015, FIDO partnered with the World Wide Web Consortium, the internet’s biggest standards organization. In January of 2016, the number of FIDO Certified solutions had reached 100; by that summer, the number had reach 200.
Now, there are well over 500 FIDO Certified products, and the Alliance’s recently-launched FIDO2 standard is starting to gain traction. The main aim of the standard is to promote strong authentication online, allowing end users to authenticate directly through a web browser via biometric authentication on a smartphone or through a USB or NFC security key. The important thing here is that while this kind of authentication involves communication with an external server, the user’s data stays on their device. You can’t authenticate without possessing the authenticating device. And all of the major browsers now support FIDO2, extending this security functionality to many millions of users around the world.
New Solutions Take Heed
Together with the proponents of the mobile biometrics revolution, the FIDO Alliance has thus helped to make the on-device approach to biometric data mainstream. It’s almost a given that this is the way to go for most applications of biometric authentication, with new kinds of products embracing it as a matter of course. BIO-key, for example, has established itself as an expert provider of fingerprint-scanning USB keys, and its solutions are designed to keep all biometric data on the device, from enrollment on through every subsequent authentication event.
Biometric payment cards offer another compelling example. These are debit and credit cards for contactless, tap-and-go payments that feature embedded fingerprint sensors to ensure that the user is the correct cardholder. Multiple solutions are currently in the trial phase, and the organizations behind them are starting to roll out messaging to get consumers ready for large-scale launches. And one note that keeps popping up in this messaging is that users’ biometric data is stored directly on a given card, and not sent to a bank’s servers. Indeed, one of the UX hurdles that solutions providers have had to overcome in preparing this technology is finding a way to let users enroll their fingerprints at home, and with no need to somehow connect the card to the internet for processing. Because the emerging solutions keep users’ biometric information on the device, this has been accomplished pretty easily with solutions like Gemalto’s registration sleeve for its biometric card solution, which simply asks the user to scan their fingerprint multiple times for on-device registration, in much the same way as fingerprint are registered on a smartphone.
Then there are the software solutions that have emerged for strong mobile authentication – solutions that can often surpass the security of biometric hardware built into the smartphones running them. Sensory Inc., for example, has made waves with its TrulySecure voice and facial recognition solution, which keeps data on a given smartphone for authentication not only as a means of keeping it secure, but also to make sure that the authentication process is as fast as possible, with no need to wait for data to be sent out for matching. Likewise, Aware’s Knomi SDK platform enables facial and voice recognition on any standard smartphone, and again it keeps user data on the device.
Importantly, both of these solutions are FIDO certified, with Aware’s Knomi system having become one of the first products to get FIDO UAF 1.1 certification last September. It all goes to show how the mobile biometrics pioneers, the FIDO Alliance, and today’s biometric authentication specialists have dovetailed in their efforts to keep user data secure, with all recognizing the advantages of on-device biometrics.
On-Device Biometrics Month is made possible by our sponsor: Aware, Inc.
May 3, 2019 – by Alex Perala