One-time password (OTP) security schemes are used by software or hardware tokens for 2FA authentication. This method uses a shared secret key, stored on the token and also on the Authentication Manager server, to validate the end user and grant them access, when used in conjunction with a traditional username and password.
With biometrics, a shared secret system isn’t enough to ensure security and protect user privacy. That’s why with VeridiumID, the enrollment biometric is divided, using Visual Cryptography, as a secret between the server and the end user device. It is still the genuine biometric representation of the user captured during the enrollment flow, against which the match is performed during authentication. But with this system, the biometric is never stored unencrypted, and only during the authentication operation is it recreated in full in an isolated environment.
Captured biometrics for authentication are never stored and are transferred between server and device for validation over 2-way SSL with certificate pinning.
The Vulnerabilities of One-Time Passwords
A primary vulnerability of OTP codes is man-in-the-middle attacks. For example, the code might be captured by man-in-the-browser-types of spyware on the authentication terminal. If the attacker is able to prevent the user from authenticating, they could then impersonate the user in the 60 sec OTP-code validation timespan.
A “divided secret” scheme like Visual Cryptography doesn’t require any extra user input on the two-factor authentication (2FA) form, so there is no data to intercept. The user has to provide his second-factor authentication, in the form of a captured biometry vector, on his mobile device. This accomplishes out-of-band verification within the familiar 2FA scenario.
Shared secret key records could also be stolen from the device or server side when at rest. Then these keys can be used to generate valid authentication codes anytime in the future.
A Visual Cryptography-based solution doesn’t store any usable information on the device or server that can be used for impersonation. The encrypted biometric is “divided,” split between both device and server, and having one piece isn’t enough for a successful impersonation. The attacker would have to obtain the captured biometric “in flight” during an authentication session for a successful attack, ala a man-in-the-middle targeted attack, which can be minimized using 2-way SSL for device-server communication.
The Vulnerabilities of Visual Cryptography
For an attack on a mobile-based biometric authentication system to be successful, the end user’s client certificate and encrypted enrollment biometric have to be cloned. Moreover, push notifications would have to be masked on the client and forwarded to the attacker. The Visual Cryptography scheme prevents this by breaking up the enrolled biometric during encryption and dividing it across the device and server.
Theoretically, the user could be targeted by a phishing attack to obtain their biometric using an auth notification on his mobile device to authenticate against an attacker’s request. However, this can be mitigated by denying simultaneous valid authentication requests and requiring the client’s mobile to scan a random secret on the screen of the user’s device, placing authentication factors in the same physical location.
Of course, any authentication solution is susceptible to a denial-of-service attack. Communication over the Internet exposes APIs and most authentication flows require an Internet connection on the mobile device. Communication is encrypted with 2-way SSL, but without Internet access, there’s no way to communicate with the server in the first place. The VeridiumID server has a special solution for this to allow offline authentication to take place for specific systems and services.
Compared to shared secret (OTP) two-factor authentication, the Visual Cryptography-based VeridiumID solution mitigates a slew of vulnerabilities in the authentication process. By reducing stealable information, protecting communication between server and device, and providing contingencies for denial-of-service attacks, you can optimize security and convenience while protecting end-user privacy and your data simultaneously.