FIDO2/UAF Strong Customer Authentication vs Proprietary Biometric Solutions
Enterprises are facing heightened scrutiny from governments and regulatory bodies with regards to security and protection of customer information. Therefore it is important for Enterprises to meet or exceed best practices related to protecting customer interactions. The following document will go over LoginID’s FIDO certified strong customer authentication products versus proprietary biometric solutions.
To help us better understand proprietary biometric solutions and the gaps between their offerings and what enterprises need, we explored three main criteria: compliance, authentication, and vulnerabilities.
Proprietary biometrics do not comply with regulatory requirements and prominent regulatory bodies.
Increasing regulatory requirements from the GDPR, CCPA, UU PDP, and PSD2 are mandating strong customer authentication (SCA) solutions and prohibiting the use of SMS authentication/verification, which makes FIDO the most optimal and secure solution on the market.
Taking the PSD2 requirements as an example, we see that proprietary biometrics could arguably be considered as one-factor authentication, thereby needing to be supplemented with an additional factor in order to meet the directive. In contrast, FIDO authentication is inherently a 2-factor authentication (2FA) and explicitly PSD2 compliant.
All major banks, mobile operators, government entities, and crypto exchanges such as Coinbase and Kraken, have started adopting FIDO protocols in one form or another. Southeast Asia, as an example, is currently the largest market for FIDO users, with an estimated five hundred million users adopting it. Other companies that leverage FIDO protocols include Line, NTT Docomo, SKTelecom, Alibaba, Industrial, and Commercial Bank of China.
Local Authentication vs Remote Authentication
User Authentication has two authentication mechanisms; one which connects the device to an external server (Remote), and one which uses the device by itself (Local). Proprietary biometrics inherently are local on-chip authentications as opposed to being remote where cryptographic signature data (no biometrics specific data) is transmitted to the backend server for verification and therefore providing proof of claimed identity.
There is no out of the box remote authentication capability with proprietary biometrics.
Given the local nature of proprietary biometric authentication, there are numerous vulnerabilities worth mentioning.
There are multiple ways to implement proprietary biometric solutions, from using APIs local to the operation system and cached credentials, all the way to using long-lived refresh tokens. Regardless of which implementation an application employs, inherent risks include:
- No phishing resistance
- No ability to perform transaction confirmation
- Hard to manage revocation of the long-living refresh token
FIDO Biometric Strong Customer Authentication
The FIDO protocol is a phishing-proof authentication protocol with strong attention to the user experience. It was developed by the FIDO Alliance, a consortium of 300+ companies that work to make commerce more secure, frictionless, and phishing free. There are now more than 4 billion devices that support the FIDO standard, with millions of new devices being added monthly. More and more large enterprises have recognized the significant benefits of adopting this protocol.
Google has experienced zero successful internal phishing attacks since they moved their employees to FIDO 1
LoginID currently supports FIDO UAF and FIDO2 protocols:
- UAF is mobile-centric. It has usernameless, passwordless modes as well as transaction confirmation
- FIDO2 is web-oriented, developed as a joint project between W3C and the FIDO Alliance
FIDO UAF introduces additional security such as:
- No credentials are stored
- All authentications are done via FIDO and are protected by an asymmetric digital signature, which makes it impossible for an attacker to forge
- Stolen cookies pose little threat, as any high value operations are protected by transaction confirmation
- No refresh token or static secrets, which reduces attack surfaces significantly
FIDO2 is a web-centric passwordless authentication protocol. It was developed in cooperation between the FIDO Alliance and W3C (World Wide Web Consortium) and is now supported by all major browsers and platforms. It is the successor of the FIDO U2F protocol. New features and functions include:
- Easy JS API
- Provides 2FA (Username/Password + FIDO2), Passwordless (Username + FIDO2) and Usernameless (Just press login) experiences
- Supported by all major browsers (Chrome, Firefox, Edge, and Safari)
- Users don’t need to buy additional or external security keys, as platform authenticators are available in Windows 10, and Android 7+, with iOS and macOS coming soon
- Enterprise-friendly and works with Windows Hello
LoginID’s Unique Proposition
In addition to the enhanced security features listed above, LoginID’s clients will also be able to benefit from the following capabilities:
Compliant Authentication: Lower Upfront Cost and Time-to-Market
Leverage our pre-compliant solution to achieve local and remote authentication; meet current security and compliance requirements and those soon to come. When you integrate with our SDKs, our backend takes care of the server authentication flows, freeing your team from designing, testing, and maintaining an in-house solution. In addition, your team will benefit from our rapid deployment, updates, new features, and ongoing maintenance of the LoginID solution.
FIDO UAF Out-of-the-Box Advantages
- Replay attack prevention
- Privacy protection
- Passwordless and usernameless modes
Expanded Privacy Feature
FIDO meets the key aspect of the GDPR, protection/privacy-by-design, which mandates that any implementation of data processing must implement data protection by design i.e. the protection is not reactive but proactively built into the solution.
FIDO is recognized by the GDPR
Below are the 6 key factors of FIDO protocol that contributing to its by-design fit with the GDPR 2:
- Based on public keys cryptography — no private keys are shared between device and server
- Keys are not provisioned and are generated and stored on the device
- No server side shared secrets
- Biometric data never leaves the device
- No linkability from device and the server
By turning each of the users’ devices into their own certificate authorities, each application will get its own certificate, ensuring no way to correlate those credentials.
Transaction Specific Digital Signatures
Real digital signatures refer to the process of confirmation of sensitive actions such as trade executions, withdrawals, and so on. FIDO provides transaction confirmation via hardware signatures, proving the presence of the user and application at specific times, which can then be used as proof and non-repudiation on transactions.
The FIDO standard is recognized by the electronic identification and trust services (eIDAS) and has strong support from the Open Banking community.
Customizable Authentication Flows
Depending on your environment and security needs, your team can leverage multiple authentication standards within FIDO for:
- FIDO as a second factor to the username and password for easier adoption
- Passwordless authentication approach with a simple touch of a finger for an amazing user experience
- Usernameless experience for real future ‘one button’ authentication
Other non-security benefits
- Usage of FIDO Certified logo for marketing materials.
- Consistent standard across all major platforms: iOS, Android, Windows, Mac OS, and all major web browsers
The founding principles of the FIDO specification are privacy, security, and credential scaling, which have proven to be beneficial for maximizing authentication capabilities. Multiple industries are consolidating towards open banking, requiring a greater need for comprehensive solutions that adhere to FIDO standards.
FIDO’s open standard applies to all platforms (Web, iOS, Android, etc). This allows organizations to leverage it at scale, eliminating the need to download special applications or special extensions.
Finally, by utilizing FIDO solutions, organizations will benefit from leveraging the industry momentum around the FIDO standard and reducing their compliance efforts significantly.
LoginID is a San Mateo/Toronto based company focused on bridging the gap around authenticating users and securing their information. This is facilitated through its FIDO2 and UAF certified strong customer authentication, privacy and tokenization platform. The team is composed of seasoned executives with decades of experience, across global brands, helping commercialize products around security, cryptography, payments and mobile.
With LoginID You Get:
- FIDO2 / FIDO UAF certified biometric authentication solution
- Extensive APIs and SDKs available for integration such as OpenID Connect, iOS, Android, and Web
- Detailed and thorough documentation created by developers for developers
- A scalable business model that grows with your business
- An Open SaaS plan to support start-ups
If you would like to learn more about LoginID’s FIDO2 and FIDO UAF biometric authentication, you can do so here.