October 25, 2021
In this video, Brandon Krieger of Daily Cyber and CEO of LoginID, Simon Law, talk about the effectiveness of a PIN when it comes to strong customer authentication. They also discuss the growing need for passwordless authentication in the crypto exchange and digital wallet space (full transcript below).
LoginID, along with their partner AuthID, offer eKYC and digital identity verification services that are perfect for crypto exchanges and digital wallets looking to enhance their fraud prevention measures. This digital identity verification service recognizes and can verify over 9,000 documents from hundreds of countries and works well on a mobile device allowing for mobile identity verification as well.
Crypto exchanges and digital wallets can also utilize LoginID’s FIDO/FIDO2 certified Transaction Confirmation with Digital Signature API to ensure that any transfer of crypto is in fact authorized by it’s investor. Before a transfer or sale of crypto can be made, the tool will prompt the digital wallet owner to use their biometric or enter their PIN to confirm the transaction. This cryptographically signs the transaction, acting as a digital signature, and creates a digital receipt. This payment authentication methodology is a powerful tool in crypto fraud prevention.
Brandon Krieger: Is there a big difference in security levels between using biometrics or a PIN and a traditional password?
Simon Law: Actually, if you use the PIN it is still much more secure because what happens is that FIDO2 actually stores the private key inside the iPhone’s secure enclave. So it’s much more secure than a password manager or form fills from chrome that you might have. It is much more secure than these existing solutions.
If you have that PIN on your iPhone, when more websites start adopting FIDO2, it will pop-up on your screen and in certain instances you will be able to bypass the biometric authentication and use your pin instead of your fingerprint. In certain operating systems the behavior changes, and i’d have to check what the iPhone is, particularly. But, I believe what happens is you can bypass the fingerprint by typing in your PIN.
The point is there, the two-factor authentication is something that you have, which is the encryption key, and something that you know, which is your PIN. So it’s still strong two-factor authentication because it’s something that’s controlled by the hardware of your phone. It's much more secure than any existing solution out there.
BK: Awesome, that’s good to know. I have an iPhone, so that’s good to know. Do you see passwordless authentication also being implemented in the non consumer field of tech, for IT professionals using terminals?
SL: Very good question. For high security, FIDO2 WebAuthn actually started out with security keys. I’m going to show you one that I have right here. It’s a level 2 security key, which you can use your fingerprint to unlock. So the private key, instead of being stored on the secure enclave of your iPhone, can be stored here as well. So you can bring this key around.
As an example, I’m in the corporate world and I want to transfer a big amount of money to pay a vendor, say $200k, then you would want some security like a FIDO2 security key or something like the secure enclave on your phone with your fingerprint.
Another example of something that’s both consumer and corporate are crypto exchanges and digital wallets. We have a lot of interest in the crypto exchange and digital wallet space. If you log into an entity like Coinbase, Kraken, or Binance they are very paranoid about security.
Right now typically they use a Google Authenticator which is a software based key that rotates a number in your phone and then you type that number while you’re logging in. That can easily be replaced by FIDO2 WebAuthn and you will get better security and more convenience.
That’s an example of both a commercial and a consumer application, it depends on if you’re a day trader or not, but it's still relevant.