At present, fingerprint login is a very common login method, especially in financial apps, fingerprint login and payment are especially popular. Fingerprint login itself is a fingerprint authentication technology, which identifies the current user’s fingerprint information and then confirms the user’s registered identity in the system.

I think there are two keys to the popularity of fingerprint authentication:

First, it is simple, without the trouble of forgetting the password, but also from the tedious input password.

The second is security, can be used in the payment link, which shows that it can achieve financial level security.

This article will simply look at the fingerprint authentication is how to do the above two points, which pit, what obstacles.

The principle of fingerprint identification

Fingerprint authentication has a long history. In The Tang Dynasty of China, fingerprint has been widely used in documents and contracts. In the Song Dynasty, fingerprint has officially become the material evidence of criminal proceedings, which shows that people have long recognized the uniqueness of individual fingerprint and have a mature identification method. For computer fingerprint identification, but also to find the uniqueness of fingerprints, here is just a simple introduction:

There is a key concept: fingerprint feature points. Common feature points are the endpoints and bifurcation points in the fingerprint, and their positions and directions are usually recorded in the algorithm. The program collects fingerprint image by optical sensor, extracts fingerprint feature points, and describes them with mathematical expression, which is called fingerprint template. Save fingerprint template to database or other storage when registering fingerprint; During fingerprint verification, feature points of the current fingerprint are extracted and then compared with the recorded fingerprint template. If the matching degree reaches a certain threshold, the fingerprint is successfully matched.

Two security issues for fingerprint identification:

  • Fingerprint image leakage problem: the program can not save the fingerprint image; The fingerprint template is encrypted in a way that makes it impossible to restore the fingerprint image. Of course being able to do it and not being able to do it are two different things. Fingerprint leak there is another situation, in 2014 the German hackers successfully extract the German defense minister fingerprints in the picture, so don’t take scissors hand were photographed after, but most of the account should be not worth a huge risk, takes a lot of energy as it is, also don’t need to worry too much, so the usual look.

  • False fingerprint identification problem: in case the fingerprint is collected by others, or made into a finger mold, is it ok to unimpeded? In response to this kind of problem, live fingerprint detection technology. In hardware, capacitance sensor is used to collect temperature, heart rate and other data, plus the fingerprint pattern data of optical sensor, for comprehensive judgment. Software implementations are generally recognized through machine learning. However, the recognition rate of fake fingerprints in both may not be very good, and there is not much publicity from manufacturers, which may be because bionic technology is so good that there is not much valuable information to be found here. When it is applied in the financial field, financial service providers must take more measures to reduce security risks, rather than simply looking at fingerprint authentication results. After all, if something goes wrong, the business may fail. Therefore, security risks in large-scale application should be controlled.

Fingerprint authentication in access control

Before the widespread adoption of fingerprint authentication on mobile devices, the technology had been widely used, and many people would have come into contact with fingerprint-enabled door guards or attendance machines. From an employer’s point of view, a fingerprint is a more effective way to verify an employee’s identity than a credit card, and it costs less. From an employee’s point of view, it’s more convenient and efficient to not bring an extra card. From the point of view of security, fingerprint identification technology is more mature, as long as there is no leakage, generally there will be no problem, the safety of the equipment is higher; The problem is only in the access control link, even if there is no fingerprint authentication, there are other ways to open the door, copying the access control card or key may be more convenient; For more important objects, there should be more secure protection measures.

The fingerprint used in access control is generally registered first. Users and fingerprints are bound, and the extracted fingerprint characteristic data is stored locally. The specific registration process is shown in the following figure:

When the user needs to open the door, the fingerprint machine will brush the fingerprint, and the fingerprint machine will extract the characteristic value of the current fingerprint, and then compare it with the fingerprint data stored locally. If the matching degree reaches a certain threshold, the fingerprint identification is successful and the door opening instruction is issued to the access guard. The specific authentication process is as follows:

Fingerprint authentication in APP

The APP here refers to the third-party application in the mobile device system, which especially refers to the current popular Android and iOS mobile operating systems.

Fingerprint authentication in the APP is common in login or paying function, because involves the user of the APP itself and business data operation, the inevitable need and the APP back-end services to interact on safety grounds, between the client and the server also requires authentication, so the fingerprint authentication in the APP is divided into two parts: the mobile local authentication and remote authentication.

This machine is certified

There is no essential difference between fingerprint authentication in the mobile phone system and that in the access control system: users input their fingerprints first, and fingerprint characteristic data is also stored locally in the mobile phone for security reasons. When using the fingerprint to enter the system, the current characteristic value is extracted first, and then compared with the local fingerprint database. Once matched, the system can be entered into the mobile phone.

Different from the access control system, the user in the mobile phone needs to have a password to enter the system, which can be a character password or a gesture password. When the user’s fingerprint cannot be used (the fingerprint module may be faulty or the user’s fingerprint may be faulty), the user can still have other ways to enter the mobile phone. Access control system users can only fingerprint authentication this one way, can not enter the door, but also look for the administrator.

Only use a mobile phone, of course, the local certification is also a meaningful, every time you switch from the background to the foreground APP requires the user to brush fingerprints, to verify the identity of the user currently operating, many Banks APP did (in fact, I did not confirm the APP at this time have to go back to verify again, just think this is a meaningful way of certification).

Mobile phone operating system manufacturers have done a good job in the security of local authentication. Fingerprint registration and identification are carried out in the security area, and the result of fingerprint identification can be returned to the APP in an encrypted way, which can be applied directly.

Remote authentication

Remote authentication is the authentication between the client and the server. The complete authentication mode is two-way authentication. The client authenticates the identity of the server to avoid information being stolen. The server authenticates the client to prevent the user from being impersonated.

  • The client authenticates the identity of the server: Nowadays, HTTPS is used. HTTPS certificates guarantee the identity of the server, or at least ensure that the address you want to access is the domain name address. Advanced certificates can also identify the identity of the certificate owner. Data is encrypted when HTTPS is used, so this is not a problem in common application scenarios. However, spamming certificates has also occurred, so if a higher level of security is required, the server can regenerate a pair of asymmetric keys. The public key is sent to APP, and the private key is saved by itself. During each authentication, the client first uses the public key of the server to encrypt the data, and then sends it out, and the server uses its own private key to decrypt the data. In this way, the fake server cannot decrypt the data and will get nothing. The data returned by the server to the client is signed with the private key. The client can verify the signature. If the verification succeeds, the data is returned by the server and can be used.

  • The server authenticates the client through asymmetric keys. The client generates a pair of asymmetric keys. The private key is saved and the public key is sent to the server. After the fingerprint authentication succeeds, the client uses the private key to sign the request parameters and then sends the request. The server uses the client public key to authenticate the received data signature. If the verification succeeds, the data is not tampered with and the service request initiated by the client can be processed.

Enabling Fingerprint Authentication

Here take login as an example to see how to use fingerprint authentication to do APP login. Fingerprint registration is required first, as shown below:

  • 5. Enable fingerprint: To enable fingerprint login, you usually log in to the APP in other ways first, and then enable fingerprint login. However, there are some exceptions. When users use the APP, they directly log in using a third party, which provides fingerprint login method, such as using the Apple Id. In the figure above, fingerprint authentication is enabled after you log in to the system with your account and password.
  • 12 Compare fingerprints in the system: Fingerprint data is always stored locally on the mobile phone and cannot be uploaded to a remote device. At present, all mobile phones on the market do this. The fingerprint authentication API provided by Android and iOS only returns true or false authentication results, which can avoid the serious consequences of large-scale leakage caused by cloud service breaches and protect the security of user biometric data to the maximum extent.
  • 13 Successful fingerprint authentication: If the local fingerprint authentication succeeds, the user is authenticated, no matter which finger it is. Early in the operating system version which may be able to obtain is the use of fingerprints, but are usually not open now, only to learn that the fingerprint set is changed (delete or add the fingerprint), the App is able to force users to quit, then use other secure way login, and then allow the user to decide whether to open the fingerprint, pay treasure is doing so.
  • Replay attack problem: The request in Step 16 May be intercepted and sent to the server several times, causing replay attack problem. You can introduce a challenge code to solve this problem. Step 8 When initializing the fingerprint registration request, the server generates the challenge code, carries the challenge code in Step 16, and authenticates the fingerprint on the server.

Using fingerprint Authentication

Let’s take a look at the process of using fingerprint to log in:

  • The local fingerprint authentication at login is the same as the local fingerprint authentication at registration, except this time the fingerprint swipe page pops up when the user selects fingerprint login.
  • 10 Signing Login Data: Primarily with unique identification of the client private key signature device and challenge code, specifies the while trying to open a fingerprint authentication must adopt the way of fingerprint authorization to use the private key, this will ensure that the signature is user initiated by the certification (accurately, a mobile phone login fingerprints of all users, in open fingerprint authentication has been prompting the user at all input fingerprint can be used to log in, At the same time, if the fingerprint changes, users will be re-confirmed, so they can be considered as authorized users); If the server verifies that the signature passes, it means that the data is not tampered during transmission and the login is initiated from a trusted client. The combination of the authentication results on the front and back ends means that the login was initiated by an authenticated user.
  • In the fingerprint phase, the unique DEVICE ID and the public key of the client are bound to the user record. Therefore, after the signature verification succeeds, the login Token of the current user can be generated and used in subsequent interactions between the client and the server. For critical interactions, such as payments, fingerprint authentication is still a more secure method.

The above is the principle of fingerprint authentication in APP. The process of fingerprint login is similar to that of fingerprint login, but payment requires a higher level of security, and fingerprint authentication can meet the security requirements.

Client authentication is faulty

In the fingerprint registration stage of the APP above, the client generates a pair of asymmetric keys for the subsequent server to authenticate the client’s identity. The key has a mature method of safe storage and use in the current mobile phone, which is TEE (Trusted execution environment) :

The client private key is encrypted by TEE security key and stored in the mobile phone. You can also specify that the private key can be used to sign and encrypt data only after the local fingerprint authentication is passed. Moreover, if a new fingerprint is added or deleted, the stored private key will be invalid. Therefore, the storage and use of the key can ensure security.

But there are other safety concerns:

1, the server unable to confirm the client upload the public key can be on behalf of the client identity, any program can generate a pair of asymmetric keys, and then the data is signed, put together a public key to the server, the server can only prove the validity of the signature, but unable to verify the source of the public key, also won’t be able to verify the identity of the client. Some solutions will integrate a authenticator SDK on the client side. The authentication information generated by this SDK will carry some special identification information, and each application is different from each machine, which is difficult to crack. Therefore, the back end can judge that the authentication is initiated in the application that integrates the authenticator SDK. But there are some challenges. The way the identifying information is generated can be cracked, and how do you know if it was initiated by a user or a malicious program?

2, the key generation process may be replaced by hackers, storage and use no matter how safe it is. This has been mentioned in the technical information of wechat. The key generation of Android may be intercepted. It is not sure whether it has been solved at present. This also shows that the underlying framework and operating system can be unreliable and must be considered carefully in some scenarios.

3, The above two problems are more serious in Root or jailbroken phones, APP, SDK and operating system can not be trusted, so many financial apps do not support fingerprint authentication on Root or jailbroken phones, but there are still some ways to cheat apps. This is not without some user support (self X ah).

Is there a good solution to this problem? Yes, the private key is stored in TEE before the device leaves the factory.

Key security in Android

We should know that the Android system is open source, many mobile phone manufacturers are in the production of Android mobile phones, there are a number of manufacturers in the market competition, who also refuses to accept who, so in order to promote the above mentioned before the factory built-in private key method, it must be unified standards. Tencent and Ali have such influence in China. Tencent has established SOTER and Ali IFAA. Both of them require mobile phone manufacturers to generate a pair of asymmetric keys on the production line, and the private key is written into the mobile phone TEE. But if they do, they will go out of business. The public key is uploaded to the authentication server to verify the data signature uploaded by the mobile APP during authentication. If the authentication passes, it indicates that the authentication is initiated by the corresponding mobile phone.

And in order to promote the technology, the protocol also supports the access of other vendors’ apps. However, it is easy to leak the commercial privacy of APP. For example, SOTER has to go to Tencent’s authentication server for authentication every time it makes a payment, based on which it can infer your business behavior and transaction volume. Therefore, SOTER also made application keys and business keys to eliminate this business risk as much as possible. At the same time, the problem that Android key generation may be intercepted can be solved by asking the phone manufacturer to install a patch package, such as replacing the insecure intermediate link. Let’s look at the generation process of application keys and service keys.

Application key generation process: The application key is generated when the application is installed for the first time. The private key of the application key is stored on the mobile phone and signed with the built-in private key before delivery. The private key is then sent to the Authentication server of Tencent for signature verification.

Key process result: fingerprint authentication using a login or pay for registration, the application will be recycled into a key business, business the key to the private key is stored in the mobile terminal, the business applications use a mobile phone on the keys to sign, also only need in application background authentication, the authentication server of and tencent is no relationship.

In this way, Tencent does not know your actual business operation, such as how many online payments every day, but the number of APP installations will inevitably leak out. In other words, all apps will be on the application market, this information is already public.

For more information about SOTER, see the official documentation: github.com/Tencent/sot…

The application process of IFAA is similar to SOTER, which will not be described here. In addition, there is a FIDO union abroad, which is also to solve this problem. In China, lenovo group’s subsidiary National certification is promoting this, and the technical principle is similar.

Key security in iOS

The iPhone’s operating system and hardware are self-controlled, so it can do a good job of security control.

For local fingerprint authentication, Apple also provides Touch ID API, which can invoke fingerprint authentication in the front end. However, if you want to send it to the server for authentication, based on various security considerations, you still need a client key. Is there a secure way to generate the client key? I did not find the official documentation, many third-party applications based on this scheme may be generated by themselves, try to be safe. Of course, this is also a guess.

But what about apps like wechat or Alipay? SOTER talked about supporting iOS, but that didn’t happen; IFAA is billed as compatible with all iOS phones that support the iPhone 5S and up, though it is not open source. It’s possible that Apple doesn’t want to open this up after all, and given apple’s strong position, it’s most likely that apple has opened up a specific API for this kind of application.

For fingerprint login, you can directly use Apple’S open Apple ID login protocol, which supports fingerprint and face authentication. The app will return the authentication Token and authorization code, and the app background will take these two to go to Apple for verification. From this logic, apple’s background must be able to secure the identity of the client that initiates the request, so it is probably similar to Android’s principle, except that each authentication on the front and back ends must be verified by Apple.

Fingerprint authentication on the Web

As mentioned above, the FIDO Consortium and the W3C developed a WebAuthn standard, which aims to standardize the user interface for public key authentication of Web-based applications and services. The so-called public key authentication is the client key authentication technology mentioned above. This domestic product doesn’t seem to be used very much, but it’s pretty cool. Windows, Linux, Mac OS, Android, iOS, smart watches and other devices can use fingerprint recognition, face recognition, iris recognition, voice recognition, and entity key (USB connection, Bluetooth connection, and NFC connection) for authentication, eliminating the dependence on passwords as much as possible.

This technical standard is consistent with the public key authentication technology in APP. The main difference is that APP is replaced by browser. Besides the support of operating system itself, the authentication module also adds support for dedicated hardware. If you’re interested, you can find out.

The above is the main content of this article, due to the limited ability, there may be some mistakes, welcome to correct.

For more architecture knowledge, please pay attention to the public account firefly architecture. Original content, reproduced please indicate the source.