By Joel Snyder
To unlock their mobile devices more simply, users are now favoring biometric authentication, such as fingerprint sensors, which also reduce the cognitive burden of remembering multiple long passwords.
Proper use of biometrics increases security, too. Passwords are easy to steal; faking biometrics is much more difficult. The technology is ideal for providing role-based access controls — and a high level of trust for business users.
Here’s a detailed look at how biometrics work, how data encryption fits in and what business leaders should look for to maintain strong security while delivering the convenience users want:
How biometrics work
Unlike passwords or PINs, biometrics aren’t saved in the network or passed around between devices and servers. Instead, biometrics protects other authentication information — usually a digital certificate or private key — and it’s this protected information that is actually used to verify the user.
Android v6 (“Marshmallow”) introduced a standardized API for biometrics, focusing on fingerprint readers. Since then, a new biometric authentication API has been introduced to replace it. The update, introduced in Android v8 (“Oreo”), provides a more flexible and varied foundation for supporting both fingerprint and nonfingerprint methods of biometric authentication, including nonstandard biometric options with third-party apps. As a result, companies looking to leverage biometric authentication can depend on a common set of services, high-level security and consistent user experience across all platforms.
In the Android OS, fingerprint biometrics are required to be stored in the Trusted Execution Environment (TEE), where the information is encrypted and kept in a separate part of the smartphone, completely inaccessible to the regular OS. It can’t even be exported. Android can ask the TEE to verify a user’s identity using biometrics, but it can’t extract the biometric information. In other words, when the user stores their biometric information, such as a fingerprint, they’re not sharing that information outside of their own smartphone or tablet; they’re just establishing a way to identify themselves to their device.
Implementing biometrics in the enterprise
Fingerprint unlocking for personal phones is just one of many use cases for biometrics. Companies can think much farther. Some password vaults, for example, can be unlocked with biometrics, simplifying the process and encouraging employees to store their passwords safely.
An even more advanced use case combines the TEE, biometrics and app-specific authentication information to allow users to log into online services with their fingerprint. The Fast Identification Online (FIDO) Alliance has developed a standard to optimize the process of converting an end user’s biometric authentication into app-friendly user authentication. Android versions 7.0 (“Nougat”) and after are certified as compatible with FIDO2.
While Android, the client, is important, it’s even more critical that FIDO Alliance’s FIDO2 protocols are supported by online services and browsers. Major vendors — including Google, Dropbox, Facebook, Paypal, Salesforce, Bitbucket and GitHub — as well as major browsers, such as Google Chrome, all support FIDO2.
Samsung Pass is an example of a password management service that’s based on the FIDO specifications. Samsung Pass enables strong authentication across different apps using biometrics combined with a cloud-based service, provided by Samsung. Smartphone users can lock up multiple sets of authentication credentials — from both public and private enterprise services — and protect them with their fingerprint. Samsung Pass simplifies the user experience while using highly secure authentication systems based on digital certificates, so end users can keep their strong authentication credentials locked up with biometrics, reduce their use of insecure passwords and speed up their app authentication.
Advancing and evaluating biometric technology
Biometric technology continues to evolve, getting better and better over time. Samsung’s Galaxy S21 and Galaxy Tab S7 series, for example, include an ultrasonic fingerprint sensor. The sensor detects the ridges and valleys of the fingerprint by bouncing off ultrasonic pulses. This new style of fingerprint reader is fast, and popular with users, because it offers even speedier authentication and increased convenience.
Addressing standards
Businesses with Bring Your Own Device (BYOD) or Choose Your Own Device (CYOD) policies should carefully evaluate biometrics on Android smartphones when choosing vendors and technologies. This will reduce the risk of introducing the kinds of security vulnerabilities that came with the initial implementations of fingerprint readers. Following standards such as FIDO’s U2F will also help lower the risk of insecure implementation.
When enabling newer biometrics, look for a clear statement from the manufacturer on how the data is stored and verified. Data should be stored in an encrypted or hashed format, eliminating the possibility of decryption, even by privileged applications.
Android devices should make use of specialized hardware and TEE with live biometric data to ensure malware can’t tamper with the data or interfere with the process — creating safer options for businesses interested in top security measures for their growing workforce
Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.