July 8, 2015 -
With the various means by which attackers can steal passwords, account breaches have become commonplace. This has caused many organizations to look towards two-factor authentication and biometrics to restore safety to users. However, Sonavation COO Bob Stewart says that organizations too often implement these authentication procedures only to open up new security holes.
Early this year Sonavation unveiled IDKey, a fingerprint scanner that uses ultrasound technology. It is able to capture a traditional fingerprint impression but also see underneath the fingerprint to map microvasculature, bone structure, and tissue density, providing multi-factor biometric authentication all at once.
Stewart says IDKey is the first technology of its kind to deliver this detailed imaging and be able to be produced economically on a mass scale, and with government-grade security and encryption. He says that every major smartphone manufacturer has been looking at IDKey as a multi-factor authentication solution, because the current solutions present some very significant vulnerabilities.
Apple’s security shows the flaws of passwords-dependant two-factor authentication
Stewart says the launch of Touch ID was “really about marketing.” He continued, “Security wasn’t foremost in their minds when they started rolling out these solutions. So it’s really a biometrics solution bolted on top of a password based solution set.”
Based on patents filed last year, it appears that Apple is, in fact, trying to add multimodal fingerprint scanning using a two-dimensional array of sensors as a way to decrease its reliance on passwords. Other manufacturers are also investigating ways multi-factor biometric authentication like Samsung and its “KNOX” project.
While Touch ID has made it easier for people to use biometrics, and has encouraged more people to protect their phones, it includes security flaws that leave users vulnerable to targeted attacks, database breaches, and, most perhaps most notably, through a password recovery process that strips away security.
Passwords present a huge vulnerability
With our reliance on passwords, forgetting passwords has also become common. And when we go through the process to recover lost passwords often flawed. At least when it comes to iPhone recovery, two-factor authentication is bypassed. “All you have to do is reboot the iPhone you have in your pocket, and the first thing it asks you to do is add a password in order to unlock the biometric chipstores. After you enter the password, you can go back to using your fingerprint. But it’s predicated on using your password.”
Getting that password can be easy because Apple displays show each character for a split-second while entering the password. For instance, if your dog’s name is Rover, you can see the characters “R-O-V-E-R” before they’re quickly covered up. A high-speed camera over the user’s shoulder should easily reveal the password no matter how quickly typed.
And it’s not just iPhones. The recovery process for various devices and services remains a massive vulnerability, especially when it comes to recovery questions like the breed of your first childhood dog, or the name of your third-grade English teacher. The answers to these questions can be stolen and decrypted, giving an attacker a potentially unique piece of information they can use to impersonate you.
Account takeover can also happen through implanting deliberate technology flaws that introduce a “backdoor” that lets criminals access these devices. Stewart says he has heard of many instances where organized crime has several schemes to access phones and install software before they reach the consumer, including infiltrating the production supply chains and intercepting phones during shipment.
Life after passwords is possible, and more secure
Passwords and PINs are also easily stolen through compromised databases, malware-infected systems, and fraudulent websites made to look like the intended site to steal login information.
This has led to the FIDO Alliance to adopt the Universal Authentication Framework (UAF) protocol which allows users to replace passwords with locally connected devices to take a fingerprint, facial or voice biometric reading. “The UAF idea is to literally eliminate the username and password,” Stewart says.
IDKey takes this further, providing not just one biometric reading, but a multi-factor impression. “Just touching our sensor is multi-factor in and of itself,” he says. “Not one, not two, but three factor authentication with a small, inexpensive, single-touch device.”
Fingerprints are becoming public keys, and additional biometric data are private keys
The fingerprint is very unique, but it isn’t necessarily private. Fingerprints are often collected by law enforcement and border security, and fingerprints can be taken from surfaces touched by an individual. This means that the fingerprint can be used to identify the individual – almost like a name or used ID. Another more secure key should be used to unlock
“The fingerprint today is like the public key – but my inner print can be used as the private key to decrypt.”
In essence, the fingerprint can be thought of as a username in a system, and the additional biometric data is an incredibly complex password that could include tissue, bone and microvasculature data.
This eliminates the need to remember complex login information, as well as the need to recover an account when the user forgets their password.
With the fingerprint as the public key, it can be used for federation across different systems.
Building uniqueness into the sensor itself as a counter-spoofing measure
Fingerprints or facial recognition can potentially be insecure given that someone could “dust” for fingerprints or capture a face with a camera, and use this information to spoof biometric systems. A fingerprint or a person’s facial features are essentially out in the open, meaning there are obvious problems using these biometric indicators to replace passwords.
One of the unique things about IDKey is that the sensor transducer (which translates the analog sound data into digital information) is manufactured by a mechanical process that grinds ceramic material to the appropriate thickness with diamond blades.
“That analog sensor actually has a uniqueness to it from its manufacturing… that means that every sensor itself has its own unique fingerprint and that is what is called a PUF or physically unclonable function. You can’t go ahead and make another sensor exactly like the one next to it,” he says.
“They’re all as unique as peoples’ DNA.”
This also means that the information captured by IDKey isn’t part of the public record, and is actually different between different IDKey units and creates a unique key between the individual and the unit during enrollment. The units themselves have signed security certificates to ensure that the units are authentic.
IDKey multi-factor authentication will likely come to mobile devices in the coming years
Stewart says that up until now, biometrics has largely been something that was layered onto an existing system, often combined with a password, to increase the veracity of the credential being presented. However, these systems have vulnerabilities – especially when allowing passwords to override otherwise multi-factor authentication.
The IDKey multi-factor biometrics solution seems to be what many device manufacturers are looking for, but such a solution requires a bit more sophistication than the biometrics currently implemented into consumer devices.
“Our challenge is supply chain, because it’s not like we can just pump these things out through a silicon fab,” says Stewart. On the implementation front, however, he notes, “You are absolutely going to hear announcements throughout 2016 and beyond.”
With account breaches as common as they are, the rollout of multi-factor authentication on mobile devices is in desperate need.
“We’re really focused on how to create a system that provides trust, and then gives people back their digital piece of mind,” Stewart says. “That’s the mission that drives us, and we actually have our hands on technology that can make people safe.”