Wednesday, 16 April 2014

The Samsung Galaxy S5 fingerprint sensor has been spoofed - what can be done to prevent it

With the recent news that researchers from SR Labs in Germany have successfully fooled (spoofed) the Samsung Galaxy S5's integrated fingerprint sensor; allowing unauthorised access to the device and the ability to make payments using the PayPal app, there are questions as to how secure fingerprint biometrics are for authentication. These questions are justified. 

An authentication solution can be convenient but it must also be secure.  

A fingerprint biometric can be more convenient than using a PIN or password especially on a mobile phone. By touching or swiping a finger over a sensor a person can quickly unlock a device, gain access to an account or make a payment. However, if the sensor can be easily fooled than the solution is fundamentally flawed. 

The key point in my last sentence was "easily fooled". Attacks on fingerprint biometric systems are relatively difficult to carry out. As Marc Rogers from Lookout Mobile Security pointed out in his blog from last year -  "Why I hacked Apple's Touch ID and still think its awesome" - an attacker needs access to the device and then use a lot of kit to physically create the fake fingerprint. As Rogers stated this can be "tricky" and probably not within the reach of your average street thief. However, with the right equipment and a little ingenuity it can be done. 

So what can be done to ensure we benefit from the convenience of biometric authentication on mobile devices but also have a level of assurance that the solution is difficult to spoof and attack? 

One solution is to improve the anti-spoofing solutions within the biometric system. NexID Biometrics develops spoof mitigation and liveness detection solutions including its Mobile Live Finger Detection (LFD) software. The company claims that the solution can help ensure that the fingerprint system is not spoofed and states that authentication accuracy is as high as 94-97 percent. 

I spoke with NexID Biometrics' COO, Mark Cornett, to get his views on this and he said; "While Apple validated the convenience of fingerprint authentication on mobile devices, the spoof of the iPhone 5S should have sent a signal to other device manufacturers that while providing users with convenient authentication, the current level of security is vulnerable to spoofing. The layers of security for unlocking mobile devices and their applications needs to be stronger to properly meet the needs of users, and facilitators of mobile commerce and BYOD policies. Now that the two largest distributors of mobile devices in the world have had their solutions spoofed, they will hopefully add liveness detection solutions to mitigate this vulnerability and thereby instil confidence in the use of mobile device fingerprint authentication."

As well as anti-spoofing and liveness detection solutions there are other tools that can be deployed to improve the security of these emerging authentication solutions. This include combining biometric authentication with other factors as part of a multi-factor authentication solution - especially useful for step-up verification where a highly level of user assurance is required. 

I am a big fan of behavioural, or gesture, biometrics where the device learns about how a specific user engages with their mobile device to create a profile that can be used as part of a risk-based authentication solution. By combining behavioural biometrics with fingerprint authentication a greater level of trust in who is actually using the device can be created. And when an unauthorised user attempts to spoof the system by using a gummy bear or wood glue mould then the authentication service can request for another level of authentication to ensure that it is the valid owner of the phone and service. The link between the end user authentication client and cloud-based risk-based (anti-fraud) solutions, especially in financial services, cannot be underestimated. 

There are ways in which you can improve the security of mobile-based biometric authentication solutions and deter the type of spoofing attack that has been witnessed with the Samsung Galaxy S5 - I have just touched the surface in what is possible. 

However, an enhancement to the security of the biometric solution should not come at the expense of convenience and usability. 

Mobile device manufacturers and service providers are turning to biometrics because they can enhance the usability of the authentication experience - this must not be altered.

Tuesday, 11 March 2014

Improving the first mile of authentication – how the FIDO Alliance and Nok Nok Labs are helping to create the building blocks of trusted identity

There has been a lot of media attention attracted by the FIDO Alliance, an organisation that is attempting to change the nature of online authentication through standards and I have been following the developments with interest.

FIDO has had a successful start to its history with some of the largest names in technology, PayPal, Google, Microsoft, Synaptics (Validity Sensors), Lenovo, RSA and MasterCard to name a few, playing a role in developing the standards that were recently made public.

A number of the FIDO members have already showcased FIDO Ready™ devices at this year’s trade shows including CES, MWC and RSA Conference 2014. Solutions from AGNITiO, GO-Trust, Infineon, Fingerprint Cards, Yubico, Synaptics (Validity Sensors) and Nok Nok Labs have all been shown to demonstrate how FIDO can be implemented at the endpoint.

And with Samsung announcing its new flagship S5 smartphone at MWC 2014 with an integrated fingerprint sensor linked to PayPal’s FIDO Ready™ mobile payments app we will soon see how the FIDO standards operate in the real world.

Samsung is also planning to open up the fingerprint sensor to third parties using its new Pass API and there is a possibility that the FIDO components will be available for developers to build mobile-based multi-factor authentication enabled applications; a very promising move.

I expect to see more clients and devices being launched throughout 2014 that are FIDO Ready™. These FIDO enabled devices will run a Multifactor Authentication Client (MFAC) that supports FIDO’s Universal Authentication Framework Protocol (UAF) and interfaces with a FIDO server.

Currently, Nok Nok Labs is the only provider of both the FIDO Ready™ client and server components with its S3 Authentication Suite.

The device OEM (could be a smartphone, a tablet or a Windows PC) would pre-install the MFAC and then a service provider, the Relying Party, (could be a financial services provider or a mobile network operator running it on an Authentication as a Service basis) would run the MFAS.

The MFAS has the capability of interfacing with policy and risk engines (including Risk Based Authentication) and also federated identity providers to link the client identity with multiple online services – brokering identity using strong mobile based MFA.

Over the past five years, we have witnessed a lot of development in the ‘last mile’ of authentication and identity assurance; standards such as SAML and OpenID have introduced a framework in which user identities can be shared amongst online services.

The FIDO Alliance and Nok Nok Labs are attempting to standardise the ‘first mile’ of authentication – an event at the beginning of the authentication process proving that an authorised person is allowed access to a digital service or to authorise a transaction.

These are early days for FIDO and Nok Nok Labs but I firmly believe that they are establishing the building blocks for agile omni-channel authentication and identity verification that will have an important part to play in improving the levels of trust in an open connected world.

Wednesday, 26 February 2014

Samsung leads the way in mobile biometrics with the Samsung Galaxy S5

In an announcement to a packed auditorium at Mobile World Congress 2014 on the evening of the 24 February 2014, Samsung launched their latest flagship Galaxy smartphone, the S5, containing an integrated fingerprint sensor.

We still need more information on the specifics of how the sensor will operate and interact with the associated services but this is what we know.

The S5 fingerprint sensor is a swipe located on the front of the device underneath the physical home button.

In a promising move from Samsung, they have initially linked the sensor to four consumer and enterprise services that include:
  • Phone unlock
  • Private Mode protection. To protect important documents contained in a secure vault
  • Mobile payments via the pre-installed PayPal app
  • As part of a multifactor authentication (MFA) solution (Fingerprint + Password) for Knox 2.0 authentication
According to reports, the fingerprint service cab register three separate fingerprints and takes up to eight swipes to initially register a user's fingerprint as part of the enrolment process.

The mobile payments app is provided by PayPal who have been working on the development of the supporting ecosystem for a number of years. By leveraging a combination of hardware and software services that include:
  • Integrated fingerprint sensor
  • Hardware security environment provided by TrustZone (Secure Element, SE and Trusted Execution Zone, TEE)
  • Secure authentication protocol and infrastructure (mobile client and server) as part of FIDO Alliance OSTP and commercialised by Nok Nok Labs
  • Merchant service infrastructure to support PayPal mobile payments

Hill Ferguson, chief product officer, PayPal, commented on the development; "By working with Samsung to leverage fingerprint authentication technology on their new Galaxy S5, we are able to demonstrate that consumers don't need to face a tradeoff between security and convenience."

By leveraging the FIDO-ready software, PayPal says that customers can use their finger to pay on the device securely without revealing their fingerprint templates. The FIDO-aware software, created by Nok Nok Labs, communicates between the fingerprint sensor on their phone and its service in the cloud. The only information the device shares with PayPal is a unique encrypted key that is used for identifying the customer without having to store any biometric information on PayPal’s servers.

The fingerprint template is securely stored within the SE and is protected by ARM’s TrustZone environment. This makes it difficult to access or tamper with the biometric template and also allays privacy concerns of having to store a fingerprint in a networked database.

This is extremely positive news for the whole industry.

This is an extract from an analysis of the Samsung S5 found in a Goode Intelligence Market Intelligence report (Fingerprint Biometrics Market Intelligence third edition)

Wednesday, 19 February 2014

The Changing Face of IT – The Twin Challenges of Mobile and Service Oriented IT

More and more frequently, users are accessing corporate information from a variety of devices – not just corporate-issued PCs, but from mobile devices and tablets that may have a dual purpose as personal devices.  

In a recent white paper I wrote, published by Goode Intelligence, I explored the key questions IT needs to consider as they search for more convenient methods to secure and protect access to sensitive information; sometimes on infrastructure that they do not own or control.

I invite you to listen to a short video discussion that I had with Ian Williams, Head of Market Intelligence, RSA that is now available on YouTube.

What are the new IT challenges brought on by mobile and cloud adoption? The Changing Face of IT – The Twin Challenges of Mobile and Service Oriented IT

For additional details, the full white paper is available for download; “Next Generation Authentication for the Mobile Ready Enterprise”

Tuesday, 21 January 2014

From Swipe to Touch to Invisible Touch - The Evolution of Fingerprint Sensors in Smart Mobile Devices

From Swipe to Touch to Invisible Touch - The Evolution of Fingerprint Sensors in Smart Mobile Devices

Readers of a certain age will possibly remember Genesis, the English prog-rock band that featured first Peter Gabriel and then Phil Collins on vocals. In the 1980s they released a rather poor 13th album called ‘Invisible Touch’. Little did they know that we would use that title in a rather obscure pun in an article on the evolution of fingerprint sensors in smart mobile devices (SMD) – the album cover is rather relevant though! And if you hear ‘Invisible Touch’ wafting over the speakers at a product launch at MWC 2014 – you know where they got their idea from.

This blog explores the evolution of fingerprint sensors designed for consumer electronic devices including smart mobile devices; from swipe to touch to ‘invisible touch'. This blog first appeared in the January 2014 edition of the Goode Intelligence Market Intelligence publication; "Fingerprint Biometrics Market Intelligence" (published 28 January 2014). 

Smartphone OEMs rush to embed fingerprint sensors

Despite the intense media attention that accompanied Apple’s launch of Touch ID embedded fingerprint sensors on mobile phones have been around since 1998. Ever since Siemens developed its prototype device back in 1998 there has been steady stream of handsets being biometric-enabled.

Fingerprint sensors are becoming a common-feature of flagship smartphones with an increasing number of mobile device OEMs joining Apple in launching high-end devices during the latter part of 2013. This included HTC, Fujitsu and Pantech. So far, all these Android-based devices have used swipe fingerprint sensors, sourced from either Fingerprint Cards (FPC) or Validity Sensors. For these android devices, the sensor is being located on the rear of the smartphone (see image of HTC One max below).

HTC One max (with Validity swipe sensor located underneath rear camera)

Apple Touch ID - leader for smartphone touch sensor

Apple is so far the only mobile device OEM to have launched a device with an embedded Touch Capacitive sensor (shown below). The sensor uses capacitive touch technology to take a high resolution (500 pixels per inch or ppi) from small sections of a fingerprint (from the subepidermal layers of the skin).

Source: Apple

There are advantages in using a touch sensor over a swipe sensor on a mobile device:
  • The user experience is usually superior
  • Greater accuracy;  there appears to be fewer failures as the finger is better positioned for touch. For swipe, the finger has to be swiped accurately over the sensor to ensure that the fingerprint is read correctly. On some smartphone implementations, especially on larger devices (phablets), the location of the sensor on the rear of the device makes this difficult when holding the device with one hand 
  • The sensor can be built into a hard button on the front of the mobile device, e.g. home/power button

Non-Apple smartphones - first swipe then touch

Goode Intelligence believes that for the first quarter of 2014 a number of Tier 1 mobile device OEMs will launch flagship models that incorporate a swipe sensor. This will include further HTC models and releases from LG, Lenovo and Samsung (Samsung may want to launch with a touch sensor to match the user experience of Apple’s Touch ID).

The three remaining fingerprint sensor manufacturers who can supply to the mobile device industry, Fingerprint Cards, Idex and Validity Sensors (part of Synaptics) are all in the process of commercialising their versions of the mobile-ready touch sensor.

Fingerprint Cards is probably in a more advanced state of commercialisation and has gone on record to say that their touch sensor (FPC1020) has been sold to a “Tier 1 OEM” for a “flagship smartphone with a targeted launch date in the summer of 2014”[1]

Idex and Validity will follow FPC in launching their own touch sensors during 2014 and GI expects to see them appear in smart mobile devices and other consumer electronic devices.

Next generation consumer fingerprint sensors - Invisible Touch

The third stage to the evolution of mobile device-based fingerprint sensors is driven by the need for greater user convenience combined with a trend to remove physical buttons from smart mobile devices. Partly as a result of the reduction of the bezel-size and driven by the trend for larger touch screen sizes.

The elimination of physical buttons creates a problem for component suppliers including fingerprint sensor manufacturers as it removes an obvious place to position the sensor. It also provides them with an opportunity for new markets for their products.

The positioning of the fingerprint sensor underneath, or within the touch screen, is the next stage in the evolution of consumer fingerprint biometrics and enables mobile device OEMs to remove physical buttons. It also ensures that the convenience of identification, touching a finger on the front of a mobile device, is maintained.

GI believes that all of the fingerprint sensor manufacturers currently operating in the consumer and mobile space are well advanced in their research and development efforts to make this a reality:
  • Idex released this video after demonstrating a proof-of-concept device that placed the fingerprint sensor within the touch screen display
  • Validity Sensors is now part of Synaptics who are one of the world’s largest suppliers of touchscreen technology. Synaptics are also developing fingerprint sensors built into the touchpads that are embedded into laptops and notebooks
  • FPC has demoed demoed touch sensor capabilities with Windows for integration into Windows 8 (8.1) products and also works with CrucialTec, manufacturer of the optical TrackPad (OTP)
This includes Apple and the resources that were integrated as a result of the AuthenTec acquisition.

Invisible Touch’ is not only suitable for smart mobile devices; any consumer electronic device that uses a screen has the potential to integrate a touch fingerprint under or within the screen. This could include smart TVs, single-use gaming handhelds, tablets, touchscreen monitors, hybrid notebooks and touchscreens integrated into domestic appliances and smart house control technology. Whether anybody would want to authenticate using their fingerprint for their fridge is debatable (although perhaps if you wanted to stop a young child from turning on an oven or keeping your teenager out of your wine cooler?).

This is a potentially huge market and is part of the wider Consumerisation of biometrics that will revolutionise how we interact with technology.

This opportunity will be explored in an upcoming analyst report published by Goode Intelligence; "Emerging Markets for Fingerprint Biometrics".

[1] FPC wins first 1020 touch sensor DW from Global Tier 1 OEM for their flagship smartphone. 20 December 2013:

Wednesday, 6 November 2013

Bring Your Own Finger - The Consumerisation of Biometrics on Mobile Devices

Firstly, let me apologise for jumping on the BYO bandwagon. I did grimace a bit when writing it but in a way it is rather apt. Biometrics are always with you and you do bring them with you; to the shops, to work, when travelling.....

That's what makes them a very attractive proposition for identification purposes. With the ever-growing list of super-long passwords that we are required to use for an increasingly long list of digital services, the search for an agile method for securely identifying people has been the Holy Grail for some time. Link that with the move towards accessing digital services on mobile devices and you have a situation that creates a perfect environment for easy-to-use, convenient, authentication and identity verification services.

Without even considering the rush by mobile manufacturers to embed fingerprint sensors into their latest smart mobile devices, mobile devices have many sensors that can be leveraged for biometric identification purposes. Cameras (front and rear with the support to capture HD video, high quality microphones, accelerometers for behavioural biometrics etc.

In my latest report for Goode Intelligence, "Mobile Biometric Security - Market Forecast Report 2013-2018", I have revised the forecasts from the original report, published in June 2011, to take into consideration the rapidly changing landscape. My research into this sector has discovered that in the last two years the following factors has created an environment that will create a market that is worth US$8.3 billion by 2018:

The Consumerisation of Biometrics: Apple has changed everything and has again disrupted a market and rebranded biometrics as a convenient method of communicating with consumer technology. Previously, Biometrics has largely been associated with high-end security; border control, national ID solutions and for providing access control for high-security buildings. This has all changed with the Apple iPhone 5s and Touch ID

Convenient mobile device protection: Existing mobile device authentication is cumbersome and inconvenient.  This means that many devices are left with no protection. Replacing a PIN or Passcode with an easy-to-use biometric can reduce this burden

 Mobile Commerce: Mobile devices have become the prime method of carrying out digital commerce yet identity verification and payment authorisation has not yet been updated to match this form factor. Biometrics can offer a convenient and secure method to prove identity and to authorise payments

As part of a multi-factor authentication solution: Most of the major authentication vendors support, or have plans to support, biometrics in their authentication products. This will be supported by authentication standards initiatives such as the FIDO Alliance that will enable biometrics to be easily utilised, when available, on mobile devices

Mobile devices are getting more secure: Apple’s Touch ID fingerprint solution makes use of a ‘secure vault’ to ensure that the fingerprint templates are stored in a secure area of the hardware. It is thought that Apple is leveraging ARM’s TrustZone, a hardware-security environment for secure storage and trusted execution. Security services are being built into all mobile platforms to counteract malware and to protect sensitive information and transactions. Complimentary services such as Mobile Device Management (MDM), Secure Containers and Mobile Application Management (MAM) create a trusted platform to support biometric security on consumer mobile devices

Thursday, 26 September 2013

The Changing Face of User Authentication and the Road to Bring Your Own Identity

I recently presented on an Infosecurity Magazine webinar entitled “How to Make Access to your Sensitive Data More Secure - The Easy Way”.  During my presentation I explored how user authentication is adapting to meet the changes created by a number of linked transformational trends that include cloud computing, mobility and the Consumerisation of IT.

The presentation focused on one of Goode Intelligence’s specialist areas, mobile-based authentication (both the phone as an authenticator and mobile authentication when an IT service is accessed from the mobile device). It also touched on other areas of Identity and Access Management (IAM) and the development of these corresponding areas is vital to the successful transformation of user authentication services (both mobile and non-mobile). It is imperative that we meet the security challenges of the next generation of IT services – to defend the borderless enterprise.

We are increasingly accessing a huge wealth of digital information, both inside and outside of the enterprise network, from a myriad of devices. In this new world of IT, traditional authentication solutions, both single-factor (passwords) and two-factor (smart cards and OTP tokens), have become clumsy, inconvenient and less secure. Password management is a headache; in the main we either write down strong passcodes or alternatively re-use passwords that we can easily remember (there are password management tools that exist).  Alternatively, when traditional two-factor authentication is used then this is often not designed for cloud, mobile or BYOD. Authentication solutions designed for traditional, behind firewall, enterprise systems are increasingly not effective for new, agile, IT services.

So what are the alternatives? How do we match convenience and security and ensure identity is successfully proven across a wide variety of different devices (enterprise-issued and employee-owned) accessing many services located on-premise, hybrid and wholly in the cloud?

I believe that we are close in achieving the goal of supporting a much more agile and mobile world of IT service provision with strong, convenient, authentication. We know what the problem is and we have many of the building blocks to make this a reality. These building blocks include Risk-based authentication (RBA), federated identity, multi-factor authentication and user choice.

Match risk with appropriate security – combining user intelligence with business context
At Goode Intelligence, we are seeing increasing demand for more intelligent forms of authentication where the choice of authentication method used is real-time risk driven. The financial services sector has been an early adopter of RBA technology as it has a history of measuring (managing) risk.

RBA matches the most appropriate authentication method to the assessed risk. To be successful in this you must first know who the user is and what they plan to do.

User intelligence can be gathered from a number of inputs and the mobile device can play an important part in this process. When combined with more active forms of authentication, by learning the unique characteristics of its owner; where they are usually located (geo-location), the days and times that they are normally active and even how they hold and touch the device (behavioural analysis).

An accurate risk score can be calculated by combining user intelligence with business context. What is the user trying to achieve - Is it a high-value financial transaction to an unknown recipient or attempting to access the latest sales data? Based on this risk score the authentication engine can then choose the most appropriate authentication method to prove identity. A one-time-password (OTP) generated by the authentication engine and sent to the user’s registered mobile device via SMS may be sufficient or alternatively the authentication level may be ‘stepped-up’ to a stronger factor – a biometric or even a separate hardware device.

Federated Identity – the road to single sign on and a more frictionless experience
For both enterprise and consumer users the prospect of having to uniquely identify themselves to multiple applications and web services is an onerous task. This is probably why for mobile devices the auto-authenticate option is widely deployed – thumbs up for convenience, thumbs down for security.

Organisations are increasingly turning their attentions to Identity federation, sometimes referred to as Single Sign-On (SSO), as one way to solve this problem. Identity federation allows for a standards-based way to share identity amongst multiple organisation and applications. Standards include the Security Assertion Markup Language (SAML), the OpenID protocol and WS-Federation.

The benefit to the user is that they only need to authenticate once to access a number of different organisations and applications. Using techniques such as SAML-insertion identity is then shared transparently with other applications. The user is authenticated once and then other application providers can verify the authenticity of the provided federated identity.

Multi-Factor Authentication/Identity Verification and context
Two-factor authentication (2FA) is so last year!

Over the last 24 months we have seen virtually all of the major internet players, Google, Twitter, LinkedIn, Microsoft and Facebook deploy some form of 2FA (mainly mobile OTP-based). Microsoft was so enamoured at mobile phone-based 2FA that it acquired a vendor, PhoneFactor. The option to use 2FA in these networks I usually optional so it is difficult to gauge how popular these services are outside the InfoSec geek community. 

In terms of trends in the authentication market there is a definite movement towards supporting multiple factors (MFA), sometimes referred to as infinite factors. This is not necessarily the third factor – often associated with what you are, biometrics. MFA is about allowing a choice of factors and then matching them against context.

I feel that the combination of MFA and contextual awareness is one of the most exciting areas of authentication at the moment and we expect it to be a standard feature of premium authentication solutions. Many of the authentication vendors, including RSA, Entrust and SecurEnvoy, have already increased their portfolio of factors that can be deployed for use with their authentication engines and I believe that the number of factors, and user choice, will increase in the next 12 months. Factors include both traditional – hardware/software tokens and smart cards – and emerging – mobile, biometrics, image-based and behavioural.

The power of having multiple factors at your disposal is multiplied when you add contextual analysis. This is where mobile devices really come into their own as authenticators. Smart mobile devices have so many in-built sensors that have the capability to capture important information about the context of how and where these devices are being used. Geo-location through a combination of GPS and cellular-network positioning (even more accurate with LTE/4G services), ambient noise levels captured through the microphone (important in voice biometrics), user identification through the camera and embedded fingerprint sensors (Even before Apple’s iPhone 5S and Touch ID there were over 20 million smartphones shipped with fingerprint sensors). All of this contextual information can be captured and then passed onto services that support risk-based and intelligence-based authentication. A relatively accurate identity scoring can be calculated on a continuous basis and then fed into the authentication service providing a method of identifying whether the authorised owner of the device is initiating a service and then calculating whether additional authentication is required. This is sometimes referred to as step-up verification (although step-up verification is also a part of non- mobile authentication and RBA services).

User choice – The road to Bring Your Own Identity (BYOI)?
We have bring your own device/platform/software…. Is it time for bring your own identity? Let the user choose what is the most convenient and secure way to protect their digital assets? People decide how best to protect their property and automobile cars why not let them choose how they should protect their digital lives?

I feel that we are already seeing evidence of this with Internet passports, e.g. Facebook ID and Google Authenticator, that allow registered users to authenticate to other services that support authentication from the passport provider. For instance, if I choose to I can use my Facebook ID to authenticate into my Spotify streaming music service. 

The big question is whether this will expand to services that are more sensitive, i.e. have more risk. Will my bank allow me to use my Google Authenticator to login to its internet bank service and then transfer funds out of the account? Does the bank trust credential s issued by a social network? Possibly not funds transfer but what about a balance enquiry? Step-up verification could be used for when I want to transact or to request an increase to my overdraft limit.

Alternatively what if a universal digital ID was issued by a government and managed by a trusted authentication service provider? I wouldn’t discount it but we are at the early stages of BYOI and perhaps initiatives such as the FIDO Alliance, Open Identity and the GSMA’s Mobile Identity Programme may help provide the plumbing and the initiatives to support it. 

Alan Goode September 2013