Difference Biometric Auth vs FIDO Auth
550 views
Skip to first unread message
Mitul Vanasiwala
Oct 26, 2021, 4:23:22 AM10/26/21
to FIDO Dev (fido-dev)
Hello FIDO Alliance Team,
Can anyone help me understand the difference between Biometric Auth (https://developer.android.com/training/sign-in/biometric-auth) vs FIDO Authentication.
We are seeing so many banking apps that have enabled biometric authentication (but are not using FIDO2).
Regards,
Mitul V
Philipp Junghannß
Oct 26, 2021, 4:37:02 AM10/26/21
to Mitul Vanasiwala, FIDO Dev (fido-dev)
Bio Auth is kinda local where you can for example encrypt stuff like a token that the app then can use to authenticate however it would do without bio auth, with FIDO you get a full new auth algo and the stuff needs to be verified on the server.
That's as far as I get it basically.
Regards
Disclaimer: Privileged & confidential information is contained in this message (including all attachments). If you are not an intended recipient of this message, please destroy this message immediately and kindly notify the sender by reply e-mail. Any unauthorized use or dissemination of this message in any manner whatsoever, in whole or in part, is strictly prohibited. This e-mail, including all attachments hereto, is for discussion purposes only and shall not be deemed or construed otherwise unless expressly stated. Any views or opinions presented in this email are solely those of the author and do not necessarily represent that of NJ Group of Companies. This communication, including any attachments may not be free of viruses, interceptions or interference, and may not be compatible with your systems. You should carry out your own virus checks before opening any attachment to this e-mail. The sender of this e-mail and NJ Group of Companies shall not be liable for any damage that you may sustain as a result of viruses, incompleteness of this message, a delay in receipt of this message or computer problems experienced. This message has been scanned for viruses and dangerous content by NJGroup Email Server, and is believed to be clean.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/2b026406-afbc-4b26-b034-e4ef93d2b5c1n%40fidoalliance.org.
Mitul Vanasiwala
Oct 26, 2021, 5:33:08 AM10/26/21
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), Mitul Vanasiwala, Arshad Noor
Thanks..
Hi Arshad,
Can you please share more understanding on this? What are the major security concerns of using Biometric Auth (https://developer.android.com/training/sign-in/biometric-auth) compared to FIDO Authentication?
We currently have a biometric auth-enabled mobile app developed by an in-house IT team. I have a meeting with the IT team regarding FIDO and hence wanted to have a more understanding of the actual difference. From a user experience perspective, auth flow looks very similar. Currently, users are able to perform reauthentication on mobile app with the help of using Biometric auth / PIN / etc.
Regards,
Mitul
Philipp Junghannß
Oct 26, 2021, 6:09:40 AM10/26/21
to Mitul Vanasiwala, FIDO Dev (fido-dev), Arshad Noor
Well Bio Auth is only as secure as the thing that comes after it because Bio Auth doesn't Auth to the server, like if you did some CRC32 for the token verification it would be absurd, while FIDO is an established protocol. One major difference tho is also that while in Biometric you can enforce Biometric including what class, while o FIDO it's entirely up to the user, including fallback to lockscreen auth (which I dont see as a problem as the lockscreen prompt is also used to provision biometric in the first place), also if you use FIDO already you could also use FIDO outside the app to get a standardized secure 2FA method for the website (not really for strong transaction approval tho as there are practically no FIDO Devices with a screen capable to show you any transaction data, but that applies to phone biometric as well in my opinion)
What's also nice is that FIDO is device agnostic provided it supports it in the first place, like you don't have to code a biometric flow for android or apple, or alternative flow for devices that dont have Biometric or users that dont want it.
yes the flow seems similar but the difference is that under the hood FIDO just does the entire Authentication, which means less work on having your own authentication and revising that all the time if needed.
Regards
rick.h...@att.net
Oct 26, 2021, 7:44:53 AM10/26/21
to Philipp Junghannß, Mitul Vanasiwala, FIDO Dev (fido-dev), Arshad Noor
The point is well taken. A problem exists however in that a FIDO authenticator in the wrong hands is but a gesture away from compromised account. So then there seems to be some merit to combining bio auth with FIDO auth and indeed others are advocating this approach. However, as you might point out, bio such as fingerprint or face scans have their own pitfalls. Of course bio use in conjunction with FIDO will vastly improve things, but the committed attacker can still prevail. Additionally, it is an understood fact that once a biometric is compromised it is forever lost. An alternative might be combining a variant of bio such as behavioral human traits identity recognition with FIDO? Would this not achieve the objectives of singularity of use with FIDO auth assurances and do so without risk of compromised bio?
Regards,
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNr940A0a%3D276grfJJ8brjXFCOtJ28FR4FdG7Pmq-bSgXw%40mail.gmail.com.
Arshad Noor
Nov 3, 2021, 8:16:25 PM11/3/21
to fido...@fidoalliance.org, mit...@njgroup.in
(Its been a busy 10 days so I'm only now catching up to some of the
FIDO-DEV threads).
A lot depends on what you're using the biometric capabilities for within
the mobile device, and *who* provided the biometric capture/enrollment
functionality. While we tend to assume that biometric capture and
enrollment is provided by the System vendor (Android or iOS), there are
many third-party biometric providers who have their own apps, capture
technologies and enrollment processes.
That said, lets assume System provided biometric capabilities for this
thread.
Use-Case 1: If the use-case is simply to unlock the mobile device
locally (versus using a PIN, etc.) AND/OR to protect local sensitive
data on the mobile device, clearly FIDO is irrelevant. The only security
consideration for this use-case are the biometric technologies, what
Class of sensor is desired
(https://source.android.com/compatibility/android-cdd#7310_biometric_sensors),
the method of biometric capture and verification ("modality"), etc.
Use-Case 2: However, if the use-case has to authenticate to an
application on a remote server (whether or not Use-Case 1 is required),
then you have to factor in the network authentication protocol.
If the network authentication protocol is a "legacy" protocol -
passwords or HMACs - while you might have biometric authentication on
the device, you have neither solved any of the problems of network
authentication (spoofing, phishing, brute-force attacks, etc.), nor
prevented a scalable attack on the server: all authentication secrets on
the server are ripe for attack as the more than 10,000 data-breaches
evidenced over 15 years [https://privacyrights.org/data-breaches]. You
also have to deal with the fact that there are many "legacy"
authentication protocols that you might need to support that add to a
company's risk and cost.
The benefits you get with FIDO are:
- The same, standardized, strong-authentication protocol on desktops,
laptops and mobile devices;
- Elimination of authentication secrets on the server;
- Non-phishable credentials;
- Digitally signed business transactions (to comply with PSD2 for Strong
Customer Authentication (SCA)). While PSD2 may be the only regulation
that currently mandates SCA, FIDO digital signatures can be used in any
kind of business transaction if the app takes advantage of it; the FFIEC
updated Authentication guidance for banks and credit unions (in the
US) in August '21, to recommend the use of FIDO with high-risk
transactions (https://www.ffiec.gov/press/pr081121.htm);
- Elimination of GDPR liability when you DO NOT use an identity provider
(IdP) for FIDO operations (unless your lawyers have been able to assign
all PII violations to the IdP if their implementation is breached - see
https://github.com/w3c/webauthn/issues/1656#issuecomment-891224247);
When you combine *Strong* biometric authentication on the mobile device
*and* FIDO, in addition to all the FIDO benefits above, you also get
protection of sensitive data on the local device (if your app implements
the capability).
We're approaching a point where most people involved in high-risk
transactions can have the best of both worlds (FIDO and biometrics) -
all that's required is for app developers to take advantage of the
capability [1]. ;-)
Hope that helps.
Arshad
[1] https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl
https://github.com/StrongKey/fido2/tree/master/sampleapps/iOS/StrongKeyFIDODemo
FIDO-DEV threads).
A lot depends on what you're using the biometric capabilities for within
the mobile device, and *who* provided the biometric capture/enrollment
functionality. While we tend to assume that biometric capture and
enrollment is provided by the System vendor (Android or iOS), there are
many third-party biometric providers who have their own apps, capture
technologies and enrollment processes.
That said, lets assume System provided biometric capabilities for this
thread.
Use-Case 1: If the use-case is simply to unlock the mobile device
locally (versus using a PIN, etc.) AND/OR to protect local sensitive
data on the mobile device, clearly FIDO is irrelevant. The only security
consideration for this use-case are the biometric technologies, what
Class of sensor is desired
(https://source.android.com/compatibility/android-cdd#7310_biometric_sensors),
the method of biometric capture and verification ("modality"), etc.
Use-Case 2: However, if the use-case has to authenticate to an
application on a remote server (whether or not Use-Case 1 is required),
then you have to factor in the network authentication protocol.
If the network authentication protocol is a "legacy" protocol -
passwords or HMACs - while you might have biometric authentication on
the device, you have neither solved any of the problems of network
authentication (spoofing, phishing, brute-force attacks, etc.), nor
prevented a scalable attack on the server: all authentication secrets on
the server are ripe for attack as the more than 10,000 data-breaches
evidenced over 15 years [https://privacyrights.org/data-breaches]. You
also have to deal with the fact that there are many "legacy"
authentication protocols that you might need to support that add to a
company's risk and cost.
The benefits you get with FIDO are:
- The same, standardized, strong-authentication protocol on desktops,
laptops and mobile devices;
- Elimination of authentication secrets on the server;
- Non-phishable credentials;
- Digitally signed business transactions (to comply with PSD2 for Strong
Customer Authentication (SCA)). While PSD2 may be the only regulation
that currently mandates SCA, FIDO digital signatures can be used in any
kind of business transaction if the app takes advantage of it; the FFIEC
updated Authentication guidance for banks and credit unions (in the
US) in August '21, to recommend the use of FIDO with high-risk
transactions (https://www.ffiec.gov/press/pr081121.htm);
- Elimination of GDPR liability when you DO NOT use an identity provider
(IdP) for FIDO operations (unless your lawyers have been able to assign
all PII violations to the IdP if their implementation is breached - see
https://github.com/w3c/webauthn/issues/1656#issuecomment-891224247);
When you combine *Strong* biometric authentication on the mobile device
*and* FIDO, in addition to all the FIDO benefits above, you also get
protection of sensitive data on the local device (if your app implements
the capability).
We're approaching a point where most people involved in high-risk
transactions can have the best of both worlds (FIDO and biometrics) -
all that's required is for app developers to take advantage of the
capability [1]. ;-)
Hope that helps.
Arshad
[1] https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl
https://github.com/StrongKey/fido2/tree/master/sampleapps/iOS/StrongKeyFIDODemo
Reply all
Reply to author
Forward
0 new messages