Not all biometric authentication is equal


Recently, the Chief Executive Officer of Wells Fargo Bank spoke about biometric authentication at an Economic Outlook Conference.  He stated that we may be the last generation to use user names and passwords, and that Wells Fargo (amongst other banks) was testing biometric technology – fingerprint matching, voice recognition, iris matching, etc. – as a means of authenticating users to websites and systems.

While biometric technology is not new (it has been commercially available for at least two decades), the fingerprint reader in Apple’s iPhone and newer Android-based devices have done more to bring biometrics to the masses than all previous efforts combined.  Notwithstanding this deluge, it would be a fallacy to assume all biometric technologies are equal – or secure.  While biometrics certainly appear to make the user’s authentication experience easier, it doesn’t necessarily make it more secure; as the adage goes: the devil is in the details.

Given the variability of biometrics, how does a user tell if a given biometric technology is secure?  The quick answer: they can’t. It would be futile to educate users about security factors associated with biometrics when its difficult enough for professionals to do so within a rapidly evolving landscape.

There is one concern, however, most users have – or are likely to have – with biometric authentication: are the biometric data being sent to a site’s servers?   If so, are they stored there?  What are the protections around that storage?  Given the breaches we’ve witnessed over the years, and given the propensity of site operators to profit from customer data, this is a very legitimate concern.  Unlike healthcare data, US law says precious little about biometric data security and privacy.

A solution that has the potential to address this concern is the use of biometric technology when combined with a Fast Identity Online (FIDO) protocol for strong-authentication.

When a device, a site and the application between them use a FIDO protocol for strongly authenticating users, they’re following an industry standard designed with the user’s security and privacy in mind.  FIDO protocols do not require biometric data to be sent to the site; FIDO cryptographic keys used to authenticate a user are unique for each site.  Finally, devices and applications using FIDO with biometrics, typically, use biometric data to verify a user’s identity locally on the device.  When successful, they use FIDO keys on the device to authenticate the user to the site.  This two-step authentication process ensures that a FIDO-enabled site respects their users’ privacy in not requiring biometric data on the site to authenticate the user.

Biometric devices not using FIDO protocols may legitimately claim they do not send biometric data to sites for authentication; however, only FIDO protocols currently provide standardized cryptographic proof that biometric data is neither needed by, nor sent to, the site to authenticate users.

Given the potential for confusion as biometrics are used by more applications and sites, what is needed is a standard identification mark to affirm the following:

  1. To distinguish ‘plain-vanilla biometric’ devices from ‘FIDO-enabled biometric’ devices;
  2. To distinguish FIDO-enabled applications from non-FIDO-enabled applications (much as the SSL/TLS lock identifies the security protocol in browsers); and
  3. For sites to identify when they’re using FIDO protocols for strong-authentication.

While the FIDO Alliance has such identifying marks for devices, its uncertain whether Android/iOS and browsers (the most common FIDO-enabled application) and sites will choose to highlight the marks even if devices are so labelled.  This assurance by mobile operating systems, browser manufacturers and sites may be necessary to provide consumers the confidence they are not being dumped from the frying-pan of passwords into the fire of biometrics.