We have been trying for a long time to devise safer and more effective ways of identifying a user than by using a login and a password. Along with the development of technologies such as fingerprint readers or retinal scanners, we can verify identity as well as with the use of a login with a password.
Additionally, having all those devices built-in a mobile phone, we are able to confirm our identity safely. However, to standardize the way our identity is verified, Fidoalliance.org organization has decided to create one best practice in case of user’s authentication as well as their operations’ authorization. Those protocols have been given an abbreviated name FIDO.
How does it work?
One of the FIDO standard protocols used in user’s authentication on internet platforms is UAF. Shortly, its work is based on the following algorithm:
- Client’s device (further referred to as UAF Client) creates a pair of cryptographics keys (a public and private one) in its memory while registering a user on authenticator. The authenticator makes it possible to confirm a user’s identity. It can be, for example, a fingerprint reader.
- UAF server is queried for list of supported authenticators. Those groups can determine parameters such as: authenticator’s producer, algorithms which it supports, etc.
- After successful verification of a possibility of authentication with the use of UAF Client, a private key is sent in the process of registering on UAF server and saved in its data base, which stores it along with a username, an identificator of the application used to register the user.
- Additionally, the information concerning the key’s identificator in authenticator’s memory and some extra data is sent to UAF server.
At an authentication attempt, a client’s application (further referred to as UAF Client) sends a request to send a list of authenticators (e.g. fingerprint reader ) registered on UAF server for a given user. After receiving such a list, UAF Client checks if it has a pair of keys which matches the one registered on UAF server before. If so, it codes so called „challenge” (e.g. a partially randomly generated part of text. It can be any text or a string of bytes.) sent from server, with the use of a private key. This kind of task could be, for example, a partially randomly generated text or a string of bytes. Next, such a coded message is sent to the server along with other information.
Server checks if the message which it received is encoded with the key which had been saved in the registration process. If so, the user is successfully verified and the authentication process is successful.
What’s so cool about it?
Many people might wonder if this way of authentication is better than a standard login and password.
First of all, it’s a way which allows avoiding storing users’ passwords or their data on authentication servers. It has positive impact on the application’s security. Additionally, UAF protocol has protection against theft of the authentication device, it can monitor the number of authentications which have been performed with its use. It can also deactivate a stolen/lost authenticator, which prevents a user from losing access to their account on the platform, but they only lose a possibility of verifying their identity with the use of the lost authenticator.
Summing up, along with increase in accessibility of user’s authentication devices which use biometric readers, mobile applications, retinal scanners, etc, we less and less need passwords which have to be memorized, and we can transfer the responsibility to our devices. It is possible by means of e.g. UAF protocol from a set of FIDO protocols. Such solutions will work perfectly in bank applications, where a particular attention is given to providing the highest possible safety standards.
Logging in to an account on a mobile device will be much safer with the use of a fingerprint or a retina scanning camera built-in a laptop or a PC.