Fingerprint authentication for mobile finance moves closer with FIDO
Nok Nok’s Dunkelberger: security can become more user-friendly and secure at once
Widespread use of fingerprint authentication for financial transactions on mobile devices could start taking off from early next year as Bank of America, Wells Fargo, Google, Samsung, Lenovo, Microsoft, Alipay and others adopt a new authentication standard through their joint project, the FIDO Alliance, which has just published its specifications and launched its first server.
FIDO is a non-profit consortium of 150 companies, which aims to create a common standard for authentication on mobile devices. The idea is to reduce the reliance on usernames and passwords and replace it with biometrics. The service has already been launched on PayPal and Alipay and is available on Android, with the Samsung Galaxy S5 being one of the first phones to support it
“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” said Michael Barrett, president of the FIDO Alliance. “FIDO Alliance pioneers can forever lay claim to ushering in the ‘post password’ era, which is already revealing new dimensions in Internet services and digital commerce.”
According to Phil Dunkelberger, co-founder of FIDO and chief executive at Nok Nok Labs, the new standard will be used to allow mobile devices to communicate with a back end server, which will then work out how best to authenticate the user. The system works via a combination of private and public keys for the device and the server respectively. On its own, the public key held in the server is unusable without the private key on the device. Dunkelberger added that the FIDO-enabled authentication is aimed at customers using mobile bank apps and other financial services such as mobile billing.
“The server will ask the device if it is FIDO-enabled,” he said. “The device will reply and let the server know that it has a fingerprint sensor [for example]. The server will then accept and register that authentication to that device. The next time the user logs in, they won’t need a password – they will merely be asked to swipe their finger.”
According to Verizon’s Data Breach Investigations Report, weak or stolen login credentials were a factor in more than 76%of the breaches analysed. Along with Verizon, Ponemon Research and PwC report that the volume and severity of data breaches is continuing to rise, with centralised datasets of personal and sensitive information being the most targeted and the most vulnerable to scaled attacks. Designed to address some of the risk inherent in the current system of passwords, FIDO specifications define an open, scalable, interoperable set of authentication mechanisms that are meant to reduce the reliance on singlefactor username and password login.
The specifications outline a new standard for devices, servers and client software, including browsers, browser plugins, and native app subsystems. According to the FIDO Alliance, any website or cloud application can interface with a variety of existing and future FIDO enabled authenticators, ranging from biometrics to hardware tokens, to be used by consumers, enterprises, service providers, governments and organisations of all types. While the core 1.0 specifications are final, the FIDO Alliance is nearing completion of extensions that will incorporate NFC and Bluetooth into its capabilities.
“Early in 2015 you can expect to see widespread adoption,” said Dunkelberger. “This is a great way of improving the ease of use and the security at the same time – two objectives which had previously been contradictory, but can now be safely resolved to provide a better experience for the end user.”
Fingerprint authentication is a key element in the design of Apple Pay, which also has the support of major US banks and card schemes.
