Implementing Android-based fingerprint authentication for online payments
Although biometric-based methods for verifying a mobile user’s identity when doing online transactions has been talked about for quite a while, recent innovations in online authentication are making it a reality.
At the Mobile World Congress earlier this year, PayPal announced a partnership with Samsung to make the Android-based Galaxy S5 the first mobile handset that allows people to shop and pay in a store or on their mobile device using just a fingerprint for authentication.
The purpose of this article is to show you a few pieces of the technology that’s making fingerprint authentication for payments a reality:
- Galaxy S5 authentication technology consists of hardware that uniquely recognizes fingerprint and maps that information to a unique identifier. The identifier is then used to generate cryptographic keys that can be shared with applications to identify the user. Hence the fingerprint never leaves the device, and the cryptographic keys are per application, protecting user’s privacy across apps.
- The FIDO (Fast IDentity Online) Alliance Universal Authentication Framework is used to link single-sign-on (SSO) registration on a device to servers at the online datacenter; and
- The underling code and software that PayPal has developed to link a PayPal account with biometric technology on the device to FIDO registration.
FIDO Universal Authentication Framework
What’s making PayPal’s fingerprint authentication possible is our partnership with FIDO Alliance specifications, called the Universal Authentication Framework (UAF ).
The FIDO Alliance was formed last year to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple usernames and passwords.
The password-less UAF protocol allows mobile device users to register their devices to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, or entering a PIN. The UAF protocol allows the service to select which mechanisms are presented to the user.
Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. UAF also allows experiences that combine multiple authentication mechanisms such as fingerprint + PIN.
PayPal’s Fingerprint Authentication design
To link fingerprint authentication into the overall FIDO framework required PayPal to implement two major elements.
As shown in Figure 1, the major components that reside on the device are:
- Android Account Manager – Centralized registry of User’s online account
- PayPal Authenticator – PayPal authenticator to manages authentication tokens
- FIDO Client & Authenticators – Biometric authentication mechanisms on the device
- PayPal Mobile App – PayPal’s Mobile Wallet Application software
- Apps enabled with PayPal Mobile SDK
The major components in the PayPal datacenter are:
- Authentication & Authorization Server – Validates credentials and assertions and issues access tokens
- Credentials Management Server – Interfaces to link and de-link biometric authenticators with PayPal accounts
- FIDO Server – Validation of FIDO Client generated binding and authentication assertions
In the diagram above, Steps 1a and 1b represent the request by the respective application to get an authenticated token (i.e., access token) to call PayPal Services. The Android Account Manager identifies and instantiates the PayPal Authenticator, and forwards the request, as you’ll see in Step 2.
Then the PayPal Authenticator authenticates the user by prompting for email/password, phone/pin, or requesting FIDO Client Step 3 to complete one of the biometric authenticator schemes (fingerprint in this case). For FIDO authentication, there is an authentication challenge request/request in the background (for device and FIDO authenticator validation) that is not shown in the diagram above before the user is asked to swipe his finger.
Another cool feature is that a user’s fingerprint, or any of its characteristics, never leaves the device (or in other words the FIDO Authenticator). The fingerprint is turned into an encryption key stored in a secure place on the phone. What is being exchanged are cryptographic keys and signatures that completely anomalies the physical identities of the user. These keys are exchanged during the FIDO registration process, Steps 2a, 2b, and 2c.
Once the user’s credentials or FIDO authentication request have been successfully obtained, from the FIDO client the PayPal Authenticator connects with PayPal’s authentication & authorization service, Step 4 in the diagram above. An access token is then returned to the PayPal Authenticator, which returns the same access token to the calling Application. The application can then make calls to PayPal APIs with this access token, Step 5 in the diagram above.