How To Use Biometrics with FIDO
Enabling biometrics with FIDO can help create more security for your logins and reduces the risk of login attacks from succeeding.
What is FIDO biometrics? FIDO biometrics are a way to authenticate a user via their face, fingers, or voice; this lends itself to a user having a passwordless experience with their login.
What Are FIDO Passwordless Standards?
One of the more significant cybersecurity threats today is the inherent weakness of passwords. In the earliest days of computing, having a simple username and password or PIN combinations proved suitable for security.
In modern cybersecurity and authentication, however, the “always on” nature of the Internet and the proliferation of cloud-based apps and mobile devices have shown us that password authentication is weak against several common attacks like phishing or other social engineering approaches.
There has been a massive shift in authentication from common password systems towards multi-factor authentication (MFA) and passwordless solutions. But, as with many innovations, this move introduced several new issues, namely the fragmentation of the implementation and maintenance of these standards.
The Fast IDentity Online (FIDO) alliance was formed to address two key issues related to strong authentication and adoption:
- Passwordless Authentication: The stated mission of the FIDO alliance is to reduce our reliance on passwords by shifting technology toward passwordless systems.
- Interoperability: While passwordless authentication is a step towards strong authentication, it won’t provide much benefit if it isn’t used. Therefore, FIDO promotes a shared and open industry standard for adopting passwordless authentication.
To provide the required interoperability sufficient for an industry standard, FIDO developed several specifications on their own and in conjunction with the World Wide Web Consortium (W3C):
- Universal Authentication Framework (UAF): This is the passwordless standard for FIDO. UAF architecture provides a framework through which users can authenticate themselves, without a password, through the exchange of asymmetric encrypted key pairs between a FIDO server and a client application or device with the user (most commonly a phone or tablet).
- Universal 2nd Factor (U2F): U2F is a narrower authentication implementation that allows developers to include a second (or more) factor for authentication. U2F allows MFA over UAF passwordless verification, password systems, or USB verification devices.
- FIDO2: The FIDO2 project results from the FIDO Alliance’s work with the W3C. It combines the Web Authentication API, or WebAuthn (a standardized, secure authentication interface for web applications using public-key cryptography) and the Client to Authenticator Protocol, or CTAP2 (a protocol that allows cryptographic authenticators like USB keys or smartphones with other devices).
While this combination of technologies might overlap, they all serve the primary function of bringing secure, passwordless security to hardware devices and web applications.
What Are FIDO-Certified Biometrics?
Simply put, FIDO biometrics are just FIDO-certified biometric devices and technologies that can function on top of FIDO authentication. These biometrics devices are built to conform to FIDO (thus, open) standards to provide strong authentication security that can complement several kinds of identity verification and management requirements.
The benefit of FIDO, and this FIDO biometrics, are that they are open and certified by the Alliance, meaning that they will operate under common standards and share interoperability with other FIDO protocols.
Some of the FIDO-certified types of biometrics include:
- Fingerprints
- Voice
- Facial Recognition
- Iris Scans
Biometric Component Certification Program
To ensure the interoperability of the FIDO biometric component technology, the FIDO Alliance uses a certification process that’s independent of its other programs. This means that the creators of biometric components can apply for FIDO certification for that component without having a fully-functional, FIDO-certified authentication application or platform.
There are, however, rules for component integration–that is, if a biometric component is certified, there are still essential rules around how other authentication platforms can integrate that component if they seek FIDO certification.
Additionally, these certification requirements will depend on the type of FIDO certification. Authenticators seeking certification at FIDO levels 1 or 2 only have the option, not the requirement, to integrate biometrics. Levels 3 or higher, however, require certified biometrics.
In either case, FIDO provides a concrete process by which biometrics components are certified:
- Application: Developers seeking certification must apply for a FIDO Alliance account to access the Biometric Dashboard. This Dashboard allows them to navigate the certification process, including initiating their application.
The FIDO Alliance biometric component certification secretariat will review this application, accept it, reject it, or ask for further documentation.
- Biometric Testing: The developer submits the component to a FIDO-accredited laboratory for testing. The laboratory will combine online and offline testing with live subjects. The laboratory will also provide an Allowed Integration Document that outlines the changes necessary for authenticators to integrate the biometric component properly.
- Laboratory Reports: Once the testing is complete, the laboratory will provide a laboratory report to the developer and to the certification secretariat, including the Allowed Integration Document.
- Certification Requests: After the report is approved, the developer completes a certification request. This step also calls for the developer to provide metadata that describes the component. This metadata must include the Biometric Certification level, the Self-Attested False Accept Rate, and the Self-Attested False Reject Rate.
- Certification Issuance: If the FIDO Alliance approves the certification, then the certificate is issued to the developer. The developer may submit their metadata to the FIDO Metadata Service. They will also pay their certification fee ($10,000 for members and $13,000 for non-members).
What Are the Benefits of Moving to FIDO Biometrics?
- Standardized Passwordless Authentication: Passwordless authentication is a critical step in identity and access security. FIDO provides a robust and maintained way to implement passwordless authentication without having to lock into a single vendor or service provider.
- Flexible Hardware-Based Authentication: A strength of FIDO standards is that it supports hardware-based token authentication, including using USB keys, keycard authentication, and hardware tokens.
With FIDO biometrics, you’ll also get the benefits of stronger security using physical traits (for example, including a fingerprint scan in a USB security key or leveraging FIDO-compliant facial recognition in a Windows laptop.
- Regulatory Compliance: Biometrics, hardware-based authentication, and MFA are all components of most regulatory frameworks.
Furthermore, the National Institute of Standards and Technology, or NIST, governs almost every federal and defense cybersecurity standard and is a member of the FIDO Alliance. Working with FIDO-compliant technology will go a long way to aligning your infrastructure with security standards.
- Interoperability: FIDO biometrics won’t require you to lock in with a single provider or vendor. Additionally, the FIDO Metadata Service provides an extensive directory of compliant technology so you can trust any component or solution you adopt.
Deploy FIDO-Compliant Authentication with 1Kosmos BlockID
1Kosmos BlockID is a certified FIDO technology that provides enterprise users with decentralized and passwordless authentication. Our solution is based on blockchain technology and uses simple UX and mobile devices to ensure that your employees can quickly and easily identify themselves across your company’s platforms and digital assets.
With 1Kosmos, you get the following benefits:
- SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
- Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API and SDK.
- Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
- Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
- Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
- Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.
Try 1Kosmos biometric capabilities–easily demo our app experience in 3 steps.