Guest Post: The two-factor authentication mirage
08 May 2017 15:37 GMT

By Thomas Bostrøm Jørgensen, CEO of Encap Security

The conventional wisdom is that using a fingerprint, or some other biometric method, to log into a service is more secure than a username or password. But many app developers are implementing biometrics through mobile devices in a way that is leaving services every bit as vulnerable to attack as if they had stuck to a simple password-based scheme.

Hooking into biometrics

Providing every user of a service with a hardware token that offers a one-time password is cost-prohibitive. Giving every user a fingerprint sensor would be even more expensive. An enterprise going down this route and buying, say, 100 fingerprint sensors at £80 each, is already taking on a substantial expense before replacement and setup costs are taken into account – so there is no way a B2C business such as a financial services provider could offer similar devices on the scale needed to support their end user population. But now people are carrying around their own hardware with the ability to identify fingerprints — hardware that works well and that developers can easily integrate into applications.

The introduction of Apple’s Touch ID was undoubtedly a watershed moment for biometrics. It made what was previously a novelty an integrated part of an Apple device, with all of the user-friendliness that this implied. The opening up of Touch ID to third party applications in 2014, plus the development of Android’s fingerprint scanner - as featured on Samsung’s and Google’s own devices – meant that application developers looking for a simple and secure way to provide access suddenly had it. All of a sudden it was possible for consumers to have the convenience they want with the security they need.

Along with the security of biometrics, there are additional benefits – consumers may forget their PINs and passwords but they rarely – if ever – forget their fingers. Customer support issues can drop dramatically if logins are possible with a single press. Finally, the customer experience when logging in with a simple touch will always be superior to logging in with with a password, not to mention processes that require complex passwords or answers to personalized security questions.

A fortress built on sand

Biometrics also has the advantage of being a second factor when combined with the possession of a mobile device, making two-factor authentication possible for use in regulated markets.

Two-factor authentication has become one of the biggest issues in fintech, thanks to PSD2 regulation. Any business that processes transactions over €30 will be need to implement Strong Customer Authentication – which is essentially two-factor (at least) authentication. Businesses that find that they fall into this category will need to offer simple, user friendly 2FA or work with a payment provider that can do so. Otherwise they will risk abandoned transactions.

However, the use of biometrics does not necessarily mean that two factor authentication is taking place. Many application developers have adopted approaches that do not integrate biometric capabilities into the overall identity solution, and instead rely on password-based authentication “under the covers.”

The many problems with passwords are well understood. Users often make poor password choices, forget or mishandle their passwords, or re-use them across multiple sites and applications. Even the most conscientious password users are subject to attacks including phishing, man-in-the-middle attacks and mobile malware.

Building a biometric authentication system on top of passwords is, in effect, building a fortress on sand. Passwords are inherently insecure and poor foundation for authentication.

Good vs bad biometrics

One common example of this bad biometric technique is related to the use of Apple’s keychain. This stores passwords securely, which are then sent to the service requesting them when unlocked by a fingerprint. There are advantages to this over the usual password process - the password can be complex and unique as it doesn’t have to be regularly entered by the user.

But the authentication process remains essentially password based. Almost every vulnerability in password authentication is still present, such as the risk of brute forcing the password, phishing, and man-in-the-middle attacks. Biometrics here is just a façade that serves to hide this vulnerability from the user.

So if this is “bad” biometrics, what makes for “good” biometrics?

In order to be truly secure, biometrics need to be fully integrated into the authentication process. Instead of unlocking a password, there needs to be a direct secure channel from the device to the server, constructed cryptographically using biometric data. This avoids the need for passwords altogether and can authenticate both the device and the fingerprint, meaning that two factor authentication is possible.

Phishing is no longer possible and data breaches elsewhere are no longer useful as a way to guess the user’s password. Man in the middle attacks can’t happen as the hacker will not be able to access the secure channel, and malware that records the screen or keypresses no longer have information that is useful.

Anyone integrating device biometrics needs to adopt these best practices as soon as possible. If they do not, then they are not only failing to genuinely improve their customers’ security, but creating a dangerous illusion that they are providing better security. Consumers understand the vulnerabilities of passwords more than they used to, and therefore, by hiding passwords behind a façade, businesses are failing to protect their customers and may in the long run undermine the trust those consumers place in biometrics.