Fingerprint authentication in mobile banking applications

Best Practices / Code Quality
09/04/2017 - 17:45 to 18:25
Stage Zuse

Session abstract: 

By adding the fingerprint reader, a new way to authenticate users has been introduced to smart phones. This new authentication feature is attractive to both developers and users.
Although this biometric authentication manner has simplified the authentication process, incorrect implementations can introduce critical security problems.

Early adopters of fingerprint authentication are in many cases mobile banking applications, where this authentication vector can be used instead of a PIN for the login process. However, other, more sensitive actions such as money transactions pose a greater challenge when migrating to fingerprint authentication.

Additionally, in order to increase security, virtually all mobile banking application nowadays depend on OTP algorithms to generate time-based secrets, which ultimately depend on a secret key (the seed). This secret key is the ultimate secret for access to mobile banking.

Since this secret key needs to be available for the login and transaction authentication process, most current mobile banking applications solve this by encrypting the secret key with the user’s PIN code, and then storing the PIN code on the device encrypted in such a way that it will be accessible with fingerprint authentication.
The problem with this approach is that the keystore is accessible for root user without authentication.

Developers utilize this solution because it does not require a lot of changes in the server side code or in the backend database. Other solutions require substantial changes.

This presentation is going to introduce a novel approach which is secure and does not need any change in the backend database. Programmers will be able to use this way with a small change in the backend web-service and mobile application.
Additionally, it is going to be shown how this manner can be employed for two-factor, and multi level authentication even when the device supports hardware-backed keystore in order to make the application more secure.