“The Identity in Everyone’s Pocket”
Communications of the ACM, January 2021, Vol. 64 No. 1, Pages 46-55
By Phil Vachon
“Proving the authenticity of a device is one of the major challenges facing developers today, but it’s critical for them to complete the enrollment process and decide if they trust the device to hold on to a secret for normal use.”
Most every technology practitioner has a smartphone of some sort. Around the world cellular connectivity is more ubiquitous than clean, running water. With their smartphones, owners can do their banking, interact with their local government, shop for day-to-day essentials, or simply keep in touch with their loved ones around the globe.
It’s this ubiquity that introduces interesting security challenges and opportunities. Not even 10 years ago, a concept like biometric authentication was a novelty, reserved only for specialized applications in government and the financial services industry. Today you would be hard-pressed to find users who have not had the experience of unlocking their phones with a fingerprint, or more recently by simply looking at the display. But there is more to the picture than meets the (camera’s) eye: Deep beneath layers of glitzy user interfaces, there is a world of secure processors, hardware-backed key storage, and user-identity management that drives this deceptively simple capability.
Newer phones use these security features in many different ways and combinations. As with any security technology, however, using a feature incorrectly can create a false sense of security. As such, many app developers and service providers today do not use any of the secure identity-management facilities that modern phones offer. For those of you who fall into this camp, this article is meant to leave you with ideas about how to bring a hardware-backed and biometrics-based concept of user identity into your ecosystem.
The goal is simple: Make it as hard as possible for attackers to steal credentials and use them at their leisure. Let’s even make it difficult for users to clone their own credentials to share with other users. In addition to this protection, let’s ensure that adding extra factors such as biometric authentication provides a stronger assurance of who the user is. Bringing keys and other secrets closer and closer to something that is physically attached to the user provides a stronger assurance of the identity of the user who just authenticated to the device.
About the Author:
Phil Vachon is the manager of the Security Analytics and Identity Architecture team in the CTO office at Bloomberg, leading a team of engineers working on problems related to network and infrastructure security, human and machine identity management, and data science.
Related Articles at ACM:
Hack for Hire
A Threat Analysis of RFID Passports
Alan Ramos, et al.