Biometric tokenization

Last updated

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template (e.g., fingerprint image on a mobile or desktop device) for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

Contents

Biometric tokenization in particular builds upon the longstanding practice of tokenization for sequestering secrets in this manner by having the secret, such as user credentials like usernames and passwords or other Personally Identifiable Information (PII), be represented by a substitute key in the public sphere.

The technology is most closely associated with authentication to online applications such as those running on desktop computers, mobile devices, and Internet of Things (IoT) nodes. Specific use cases include secure login, payments, physical access, management of smart, connected products such as connected homes and connected cars, as well as adding a biometric component to two-factor authentication and multi-factor authentication.

Origins

With the September 9, 2014 launch of its Apple Pay service, [1] Cupertino, Calif.-based Apple, Inc. initiated the conversation surrounding use biometricsupported tokenization of payment data for point of sale retail transactions. Apple Pay tokenizes mobile users’ virtualized bank card data in order to wirelessly transmit a payment, represented as a token, to participating retailers that support Apple Pay (e.g. through partnerships and supported hardware). Apple Pay leverages its proprietary Touch ID fingerprint scanner on its proprietary iPhone line with, aside from cryptography, the added security of its Apple A7 system on a chip that includes a Secure Enclave hardware feature that stores and protects the data from the Touch ID fingerprint sensor. Apple Pay then, at least for payments, is credited with innovating in the space of biometric tokenization even if the use case was limited to payment convenience and security, restricted to the company’s own hardware and software, and despite the fact that executives did not publicly utter the phrase “biometric tokenization” or speak about the underlying technology.

While biometric tokenization and Apple Pay are similar, biometric tokenization as it is known today and particularly using the term verbatim is an authentication feature that goes beyond payment convenience and security. Other distinctive features are that biometric tokenization can be implemented on other operating systems such as OSX, Microsoft Windows, Google Android for password-less login to desktop and mobile applications.

Mechanics

Biometric tokenization like its non-biometric counterpart, tokenization, utilizes end-to-end encryption to safeguard data in transit. With biometric tokenization, a user initiates his or her authentication first by accessing or unlocking biometrics such as fingerprint recognition, facial recognition system, speech recognition, iris recognition or retinal scan, or combination of these biometric modalities. The user’s unique qualities are generally stored in one of two ways, either on-device in a trusted execution environment (TEE) or trusted platform module (TPM), or on a server the way other data are stored.

Biometric tokenization champions typically prefer biometric templates to be encrypted and stored in TEEs or TPMs so as to prevent large-scale data breaches such as the June 2015 U.S. Office of Personnel Management one. Biometric tokenization when aided by on-device storage of user data also can preserve internet privacy because user data are stored individually inside single devices rather than aggregated on ostensibly vulnerable servers. Moving biometric user credentials either for two-factor authentication or unqualified authentication, for example, off of servers and onto devices is a tenet of the Fast Identity Online (FIDO) Alliance, [2] an industry consortium concerned with replacing passwords with decentralized biometrics.

The next step in biometric tokenization after the unlocking of user credentials in the trusted area of their device is for the credentials to be tokenized, with the token containing the precise data required for the action (e.g. login or payment). This access token can be time-stamped as in the case of one-time passwords or session tokens so as to be useful for a specific time period, or they may not be. With biometric tokenization this token is then validated by means of joint client-side and server-side validation, which occurs through a challenge-response token exchange. The user is then logged in, authenticated, or otherwise granted access.

Information Security

In order to achieve the highest level of privacy and protection when calculating and transmitting sensitive information, biometric tokenization leverages existing encryption algorithms, authentication protocols, as well as hardware trust zones. Combining some or all of these methods maximizes the level of protection needed to uphold the integrity of the process and security of data that could otherwise expose users to a breach of trust on a mass scale.

Encryption Algorithms in Use

Authentication Protocols in Use

Hardware Trust Zones in Use

Related Research Articles

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

A software token is a piece of a two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated.

A password manager is a computer program that allows users to store and manage their passwords for local applications or online services such as web applications, online shops or social media. A web browser generally has a built in version of a password manager. These have been criticized frequently as many have stored the passwords in plaintext, allowing hacking attempts.

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

Pre-boot authentication (PBA) or power-on authentication (POA) serves as an extension of the BIOS, UEFI or boot firmware and guarantees a secure, tamper-proof environment external to the operating system as a trusted authentication layer. The PBA prevents anything being read from the hard disk such as the operating system until the user has confirmed they have the correct password or other credentials including multi-factor authentication.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

A trusted execution environment (TEE) is a secure area of a main processor. It helps the code and data loaded inside it be protected with respect to confidentiality and integrity. Data confidentiality prevents unauthorized entities from outside the TEE from reading data, while code integrity prevents code in the TEE from being replaced or modified by unauthorized entities, which may also be the computer owner itself as in certain DRM schemes described in Intel SGX.

<span class="mw-page-title-main">Touch ID</span> Electronic fingerprint recognition feature by Apple

Touch ID is an electronic fingerprint recognition feature designed and released by Apple Inc. that allows users to unlock devices, make purchases in the various Apple digital media stores, and authenticate Apple Pay online or in apps. It can also be used to lock and unlock password-protected notes on iPhone and iPad. Touch ID was first introduced in iPhones with the iPhone 5s in 2013. In 2015, Apple introduced a faster second-generation Touch ID in the iPhone 6s; a year later in 2016, it made its laptop debut in the MacBook Pro integrated on the right side of the Touch Bar. Touch ID has been used on all iPads since the iPad Air 2 was introduced in 2014. In MacBooks, each user account can have up to three fingerprints, and a total of five fingerprints across the system. Fingerprint information is stored locally in a secure enclave on the Apple A7 and later chips, not in the cloud, a design choice intended to secure fingerprint information from users or malicious attackers.

<span class="mw-page-title-main">FIDO Alliance</span> Industry consortium working on authentication mechanisms

The FIDOAlliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords". FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials are sometimes referred to as passkeys.

<span class="mw-page-title-main">Bitwarden</span> Open-source password manager


Bitwarden is a freemium open-source password management service that is used to store sensitive information, such as website credentials, in an encrypted vault. The platform hosts multiple client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. The platform offers a free US or European cloud-hosted service as well as the ability to self-host.

Passwordless authentication is an authentication method in which a user can log in to a computer system without entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

The iOS operating system utilizes many security features in both hardware and software, from the boot process to biometrics.

References

  1. "Apple - Press Info - Apple Announces Apple Pay". www.apple.com. Retrieved 2016-08-15.
  2. "FIDO Alliance". fidoalliance.org. Retrieved 2016-08-15.
  3. "White-box cryptography". www.whiteboxcrypto.com. Retrieved 2016-08-15.
  4. "FIDO Alliance  » Specifications Overview". fidoalliance.org. Retrieved 2016-08-15.
  5. "TrustZone - ARM". www.arm.com. Retrieved 2016-08-15.
  6. "Secure enclave" (PDF).
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.