Mobile Security Arms Race: FIDO2, Stronger Biometrics, and More
In just a few short years, Android and iOS have made great strides in mobile platform security—the driver for that progress being the increasing sophistication of cyber attacks and the growing importance of mobile devices. To help shield customers and combat some of these threats, mobile platform developers have incrementally added security and privacy-enhancing features with each major revision at a fast clip.
While biometrics, hardware-based keys, and other mechanisms are making it easier and more secure for the end-user, a weak link in the chain is the complexity that developers face in stitching these security features together effectively against a dynamic threat landscape. There’s a lot that developers have to get right. Nok Nok has been working to simplify the developer experience by raising the level of abstraction so the developer can focus on things they do well. In this blog, we address four seemingly disparate areas of change—biometrics, the FIDO (Fast Identity Online) protocols, hardware based keys, and secure display—and illustrate how they are integrated to create that simplicity for the developer.
Support for on-device biometric authentication has greatly enhanced the security of mobile devices. Mobile devices come with a variety of biometric mechanisms, but they may vary in their efficacy and security levels. Recognizing this, Google recently announced they are refining the way Android differentiates between weak and strong on-device biometrics. Android will adopt new metrics that provide an objective assessment of the ease of circumventing the biometric. For example, let's consider voice authentication. How easy is it to bypass the biometric using a voice recording or doing your best voice impression? For face authentication, can you fool it using a picture or a silicone mask created from a 3D printed mold? By factoring in these additional metrics, Google is raising the bar for biometrics.
It’s important to recognize that not all fraud is necessarily malicious in nature. In 2017, 86% of all chargebacks were probable cases of “friendly fraud”. Biometrics can be a source of friendly fraud, for example when multiple people have enrolled their fingerprints on a shared device. Early on, Nok Nok Labs worked with authenticator vendors to pioneer concepts for friendly fraud protection. Some of these concepts were incorporated into FIDO and made their way into mobile platforms, available to all apps, while others remain a proprietary part of our solutions and IP portfolio.
In the previous blog, we talked about FIDO protocols and how it makes it possible to deliver strong authentication to users at population scale and changes the economics of authentication. One of the FIDO protocols is called FIDO2, and Android now comes with native FIDO2 APIs. This means you can build FIDO2 into your native Apps, and Web Apps can use FIDO2 in browsers. By providing FIDO2 support, Android greatly reduces the chance of account takeover and scalable attacks such as phishing as compared to passwords.
Another security concern on mobile devices is how private keys are protected on the device. Strong authentication relies on keys, and many Android devices can store and process them in a protected part of the main processor called the Trusted Execution Environment (TEE). In this way, malicious software cannot access the keys. However, storing keys in a separate chip could add security beyond TEE, although this is not always the case depending on implementation. Some modern Android devices contain a security chip called a Secure Element. Nok Nok Labs worked with security chip vendors and also with Telecom companies to build this capability for certain devices. Now, in Android P, this feature, known as StrongBox, is generally available.
Storing keys in hardware is important, but how does your backend know that it was stored in hardware? Nok Nok Labs developed the concept of attestation which provides cryptographic proof that a key has the protection of hardware. This capability is built into the FIDO protocol, and it is supported natively in Android. Nok Nok has also helped design and implement metadata services for attestation, a subject we will visit in future blog posts.
To safeguard against account takeover, an app can get confirmation from the user for a high-value transaction. To make this work, the mobile OS needs to provide the ability to display a message to the user such that the message cannot be altered by malicious software. You can think of this feature as "what you see is what you sign". A few years ago, Nok Nok Labs worked with TEE vendors to develop a proof-of-concept showcasing this concept. The notion of a tamper-proof transaction display is built into FIDO, and Google has built this into Android P, which can close out the possibility of phishing completely if correctly used with FIDO.
Although Android has been getting more secure over the years, progress has not been in a straight path, as seen here in this timeline of Android OS releases versus features:
Not all security features are released as part of the operating system. Android has another release vehicle called Google Play Services. The timeline below shows security features delivered this way:
Complicating matters, Android has introduced security features and then superseded them by newer variants, sometimes changing the way the underlying biometric subsystem works. Also, with the ever-changing threat landscape, the evolution of security on mobile operating systems will continue. As an app developer, it can be difficult to keep up with this fast pace of change. Using FIDO authentication is one way to address this dilemma. With FIDO, you don't need to change your app or backend infrastructure to take advantage of the mix of security capabilities available now and in the future.
We have also seen a similar evolution—perhaps more linear and consistent—in Apple’s iOS. Nok Nok has been the first to adapt these new capabilities to deliver FIDO based authentication on Apple’s devices as a part of our commitment to deliver to authentication for any device, any authenticator.
You can try out Nok Nok’s S3 Authentication Suite, which builds on top of the FIDO standards now.