Enterprises are facing heightened scrutiny from governments and regulatory bodies with regards to security and protection of customer information. Therefore it is important for Enterprises to meet or exceed best practices related to protecting customer interactions. The following document will go over LoginID’s FIDO certified strong customer authentication products versus proprietary biometric solutions.

Proprietary Biometrics

To help us better understand proprietary biometric solutions and the gaps between their offerings and what enterprises need, we explored three main criteria: compliance, authentication, and vulnerabilities.

Compliance

Proprietary biometrics do not comply with regulatory requirements and prominent regulatory bodies.

Increasing regulatory requirements from the GDPR, CCPA, UU PDP, and PSD2 are mandating strong customer authentication (SCA) solutions and prohibiting the use of SMS authentication/verification,, which makes FIDO the most optimal and secure solution on the market.

Taking the PSD2 requirements as an example, we see that proprietary biometrics could arguably be considered as one-factor authentication, thereby needing to be supplemented with an additional factor in order to meet the directive. In contrast, FIDO authentication is inherently a 2-factor authentication (2FA) and explicitly PSD2 compliant.

All major banks, mobile operators, government entities, and crypto exchanges such as Coinbase and Kraken, have started adopting FIDO protocols in one form or another. Southeast Asia, as an example, is currently the largest market for FIDO users, with an estimated five hundred million users adopting it. Other companies that leverage FIDO protocols include Line, NTT Docomo, SKTelecom, Alibaba, Industrial, and Commercial Bank of China.

Local Authentication vs Remote Authentication

User Authentication has two authentication mechanisms; one which connects the device to an external server (Remote), and one which uses the device by itself (Local). Proprietary biometrics inherently are local on-chip authentications as opposed to being remote where cryptographic signature data (no biometrics specific data) is transmitted to the backend server for verification and therefore providing proof of claimed identity.

There is no out of the box remote authentication capability with proprietary biometrics.

Given the local nature of proprietary biometric authentication, there are numerous vulnerabilities worth mentioning.

Vulnerabilities

There are multiple ways to implement proprietary biometric solutions, from using APIs local to the operation system and cached credentials, all the way to using long-lived refresh tokens. Regardless of which implementation an application employs, inherent risks include:

  • No phishing resistance
  • No ability to perform transaction confirmation
  • Hard to manage revocation of the long-living refresh token

FIDO Biometric Strong Customer Authentication

The FIDO protocol is a phishing-proof authentication protocol with strong attention to the user experience. It was developed by the FIDO Alliance, a consortium of 300+ companies that work to make commerce more secure, frictionless, and phishing free. There are now more than 4 billion devices that support the FIDO standard, with millions of new devices being added monthly. More and more large enterprises have recognized the significant benefits of adopting this protocol.

Google has experienced zero successful internal phishing attacks since they moved their employees to FIDO. [1]

LoginID currently supports FIDO UAF and FIDO2 protocols:

  • UAF is mobile-centric. It has usernameless, passwordless modes as well as transaction confirmation
  • FIDO2 is web-oriented, developed as a joint project between W3C and the FIDO Alliance

FIDO UAF

FIDO UAF introduces additional security such as:

  • No credentials are stored
  • All authentications are done via FIDO and are protected by an asymmetric digital signature, which makes it impossible for an attacker to forge
  • Stolen cookies pose little threat, as any high value operations are protected by transaction confirmation
  • No refresh token or static secrets, which reduces attack surfaces significantly

FIDO2

FIDO2 is a web-centric passwordless authentication protocol. It was developed in cooperation between the FIDO Alliance and W3C (World Wide Web Consortium) and is now supported by all major browsers and platforms. It is the successor of the FIDO U2F protocol. New features and functions include:

  • Web-friendly
  • Easy JS API
  • Provides 2FA (Username/Password + FIDO2), Passwordless (Username + FIDO2) and Usernameless (Just press login) experiences
  • Supported by all major browsers (Chrome, Firefox, Edge, and Safari)
  • Users don’t need to buy additional or external security keys, as platform authenticators are available in Windows 10, and Android 7+, with iOS and macOS
  • Enterprise-friendly and works with Windows Hello

LoginID’s Unique Proposition

In addition to the enhanced security features listed above, LoginID’s clients will also be able to benefit from the following capabilities:

Compliant Authentication: Lower Upfront Cost and Time-to-Market

Leverage our pre-compliant solution to achieve local and remote authentication; meet current security and compliance requirements and those soon to come. When you integrate with our SDKs, our backend takes care of the server authentication flows, freeing your team from designing, testing, and maintaining an in-house solution. In addition, your team will benefit from our rapid deployment, updates, new features, and ongoing maintenance of the LoginID solution.

FIDO UAF Out-of-the-Box Advantages

  • Replay attack prevention
  • Privacy protection
  • Passwordless and usernameless modes

Expanded Privacy Feature

FIDO meets the key aspect of the GDPR, protection/privacy-by-design, which mandates that any implementation of data processing must implement data protection by design i.e. the protection is not reactive but proactively built into the solution.

FIDO is recognized by the GDPR
Below are the key factors of FIDO protocol that contributing to its by-design fit with the GDPR: [2]

  • Based on public keys cryptography - no private keys are shared between device and server
  • Keys are not provisioned and are generated and stored on the device
  • No server side shared secrets
  • No linkability from device and the server

By turning each of the users’ devices into their own certificate authorities, each application will get its own certificate, ensuring no way to correlate those credentials.

Transaction Specific Digital Signatures

Real digital signatures refer to the process of confirmation of sensitive actions such as trade executions, withdrawals, and so on. FIDO provides transaction confirmation via hardware signatures, proving the presence of the user and application at specific times, which can then be used as proof and non-repudiation on transactions.

The FIDO standard is recognized by the electronic identification and trust services (eIDAS) and has strong support from the Open Banking community.

Customizable Authentication Flows

Depending on your environment and security needs, your team can leverage multiple authentication standards within FIDO for:

  • FIDO as a second factor to the username and password for easier adoption
  • Passwordless authentication approach with a simple touch of a finger for an amazing user experience
  • Usernameless experience for real future ‘one button’ authentication

Other non-security benefits

  • Usage of FIDO Certified logo for marketing materials.
  • Consistent standard across all major platforms: iOS, Android, Windows, Mac OS, and all major web browsers

Conclusion

The founding principles of the FIDO specification are privacy, security, and credential scaling, which have proven to be beneficial for maximizing authentication capabilities. Multiple industries are consolidating towards open banking, requiring a greater need for comprehensive solutions that adhere to FIDO standards.

FIDO’s open standard applies to all platforms (Web, iOS, Android, etc). This allows organizations to leverage it at scale, eliminating the need to download special applications or special extensions.

Finally, by utilizing FIDO solutions, organizations will benefit from leveraging the industry momentum around the FIDO standard and reducing their compliance efforts significantly.

Try LoginID's FIDO2 Certified Authentication Solution for Free

References

  1. https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
  2. https://fidoalliance.org/fido-authentication-for-gdpr-video/
related articles icon

Related Articles

Authentication Flaw Leads to Hack of 6,000 Coinbase Accounts

More ⟶

The Traditional Wallet is Dead, Long Live the Digital Wallet

More ⟶

Simon Law’s thoughts on FedNow

More ⟶

Ready to integrate?

Get immediate access to a feature-packed dashboard.

Get started for Free!

Including many pricing options for different needs.

Pricing ⟶

Join our community