Your questions on passwordless authentication answeredFred O'Connor | December 12, 2019
From how Veridium stores a biometric template to how using a biometric instead of a knowledge factor makes authentication more secure to how a Dutch bank uses Veridium for customer authentication, we received a range of questions during our webinar on cutting through the hype around passwordless authentication. To help others learn about going passwordless and using biometrics for authentication, this blog contains the questions people asked during the webinar along with the answers from John Spencer, Veridium’s chief product officer.
Does Veridium support behavioral biometrics?
Veridium takes telemetry data from a mobile phone gathered using the gyroscope and accelerometer. The way I use my mobile phone, the way I pick up my mobile phone to authenticate creates a behavioral baseline. So now we have a mobile phone, an explicit form of authentication with whatever biometric you choose to use, and I have the behavioral check.
So if let’s say I take someone’s iPhone, have access to their fingerprints and I try to use it to get into their banking app. That’s when our behavioral feature kicks in. So the phone and biometric would be good but everything about the behavior of the phone isn’t right. So we’re going to ask for another form of authentication or the bank is going to call you. That’s really up to the customer. We support behavioral by default in the Veridium platform.
Where’s the biometric stored?
With biometrics, you can’t reset them like your password. They’re pretty much with you for life. So there’s a huge concern around where the biometric template lives and how it’s stored. If the template is stolen, it could be used for malicious purposes.
We give you a choice. You can store the biometric template exclusively in the mobile phone in the trusted execution environment. It’s in a secure environment on the phone and you need your biometric to access the template. We can also store the biometric on the server so nothing is stored locally. You put your security around your VeridiumID server either in your data center or in the cloud.
To mitigate the risk, we also shard the data. Here’s a quick overview of what that looks like. We enroll your biometric template, we encrypt it and then it’s cut in half. One half is stored in one location, the other half is stored in another place so a single biometric template is never in one place.
How would eliminating a strong knowledge factor and adding biometrics to the authentication process improve security?
There are a couple of ways that strong authentication is implemented today. SMS is one option. I can also use tokens. We’ve seen some biometric capabilities in the call center like my voice is my password. Those methods replace knowledge-based authentication methods, like questions like what was my first dog named.
The advantage of biometric identity over other strong authentication methods is that it proves identity with a high degree of assurance. Me knowing your password and having access to your device and knowing your PIN doesn’t prove identity. We see this a lot. An insurance company told me last week that executive assistants often log into their manager’s email accounts to do the more mundane tasks. The assistants have the credentials, but they’re not the account owners. There isn’t a high degree of certainty around the identity of the person accessing the account. They just have the credentials.
With biometrics we have this non-repudiation capability that says it was this person who was logging in to this environment at this time.
Can you talk about a customer use case?
Bunq, a Dutch bank, wanted to bring biometric authentication to their customers. Veridium introduced this biometric capability into bunq. Their customers use the Veridium biometric capability to log into their account and use it for high value transactions like changing their ATM card’s PIN. We’ve seen a lot in the finance space around enabling users to authenticate into their bank account using passwordless technology so they use what they are instead of knowledge-based authentication like a password.
How do you prevent someone who has your username from constantly spamming your phone with OTP requests?
We don’t use OTPs. We use biometrics. The typical user authentication sequence looks like this: I would take my mobile phone, I’d go to my Windows laptop or a website or whatever the service was and I’d scan a QR code with a mobile app. I’d scan the QR code with either the Veridium app downloaded from Apple’s App Store or Google Play or an in-house app that’s created using our SDK. Scanning the QR code initiates the authentication process. Then I validate my biometric to complete the authentication attempt. So I can’t be spammed in that environment.
How does the Veridium server contact the phone. How can it ensure that the response is genuine and not spoofed?
In essence, on first enrollment the mobile device is registered against the server. The server issues a unique key to that device that’s stored in Secure Enclave on an Apple device.
That key needs to be presented for all mobile/server communication via SSL. The server notifies mobile device via APNS or Firebase when required.
What if I don’t have my phone?
You can have more than one device enrolled against your account. My iPad is also enrolled, for example. But let’s say you’re in a hotel room and your phone is out of battery and you don’t have a charger or a cable to connect the phone to your computer. We have lost mode.
You can contact the help desk and they determine how best to identify the person who’s trying to authenticate. They can initiate authentication from the admin console on the VeridiumID server. (This blog talks about how employees can authenticate with Veridium when a mobile phone isn’t available or can’t be used.)