Implementing Android-based fingerprint authentication for online payments -

Implementing Android-based fingerprint authentication for online payments


Although biometric-based methods for verifying a mobile user’s identity when doing online transactions has been talked about for quite a while, recent innovations in online authentication are making it a reality.

At the Mobile World Congress earlier this year, PayPal announced a partnership with Samsung to make the Android-based Galaxy S5 the first mobile handset that allows people to shop and pay in a store or on their mobile device using just a fingerprint for authentication.

The purpose of this article is to show you a few pieces of the technology that’s making fingerprint authentication for payments a reality:

  1. Galaxy S5 authentication technology consists of hardware that uniquely recognizes fingerprint and maps that information to a unique identifier. The identifier is then used to generate cryptographic keys that can be shared with applications to identify the user. Hence the fingerprint never leaves the device, and the cryptographic keys are per application, protecting user’s privacy across apps.
  2. The FIDO (Fast IDentity Online) Alliance Universal Authentication Framework is used to link single-sign-on (SSO) registration on a device to servers at the online datacenter; and
  3. The underling code and software that PayPal has developed to link a PayPal account with biometric technology on the device to FIDO registration.

FIDO Universal Authentication Framework
What’s making PayPal’s fingerprint authentication possible is our partnership with FIDO Alliance specifications, called the Universal Authentication Framework (UAF ).

The FIDO Alliance was formed last year to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple usernames and passwords.

The password-less UAF protocol allows mobile device users to register their devices to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, or entering a PIN. The UAF protocol allows the service to select which mechanisms are presented to the user.

Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. UAF also allows experiences that combine multiple authentication mechanisms such as fingerprint + PIN.

PayPal’s Fingerprint Authentication design
To link fingerprint authentication into the overall FIDO framework required PayPal to implement two major elements.

As shown in Figure 1 , the major components that reside on the device are:

The major components in the PayPal datacenter are:

  • Authentication & Authorization Server – Validates credentials and assertions and issues access tokens
  • Credentials Management Server – Interfaces to link and de-link biometric authenticators with PayPal accounts
  • FIDO Server – Validation of FIDO Client generated binding and authentication assertions

Figure 1: PayPal Fingerprint Authentication architecture

In the diagram above, Steps 1a and 1b represent the request by the respective application to get an authenticated token (i.e., access token) to call PayPal Services. The Android Account Manager identifies and instantiates the PayPal Authenticator, and forwards the request, as you’ll see in Step 2 .

Then the PayPal Authenticator authenticates the user by prompting for email/password, phone/pin, or requesting FIDO Client Step 3 to complete one of the biometric authenticator schemes (fingerprint in this case). For FIDO authentication, there is an authentication challenge request/request in the background (for device and FIDO authenticator validation) that is not shown in the diagram above before the user is asked to swipe his finger.

Another cool feature is that a user’s fingerprint, or any of its characteristics, never leaves the device (or in other words the FIDO Authenticator). The fingerprint is turned into an encryption key stored in a secure place on the phone. What is being exchanged are cryptographic keys and signatures that completely anomalies the physical identities of the user. These keys are exchanged during the FIDO registration process, Steps 2a, 2b, and 2c .

Once the user’s credentials or FIDO authentication request have been successfully obtained, from the FIDO client the PayPal Authenticator connects with PayPal’s authentication & authorization service, Step 4 in the diagram above. An access token is then returned to the PayPal Authenticator, which returns the same access token to the calling Application. The application can then make calls to PayPal APIs with this access token, Step 5 in the diagram above.
FIDO Registration
We’ve reached a crucial step in enablingfingerprint authentication. We need to link (i.e., bind) a user’s PayPalaccount to the FIDO Client/Authenticator on the device. This step hasto be completed by the user by selecting “Pay with PayPal” in theFingerprint Settings on the device. Here, we have decided to use a webapplication rather than a native app as it provides more flexibility inchanging the content.

It also allows us to re-use the useronboarding web app to create a PayPal account if they don’t have one.During the user onboarding at PayPal, the information collected on usersdepends on the country and type of account. As we rapidly expand ourrollout globally the choice of web application was clear.

Whenlaunching the web application on the WebView, the user has to eitherauthenticate (email/password or phone/pin) or create a new PayPalaccount. Having successfully authenticated, the user can now bind theirfingerprint authentication to the PayPal account. The WebView bundlesFIDO Client plugin, which allows the web application to interact withthe FIDO Client.

Following the FIDO specification, a PreBindchallenge request/response is performed, and after the user hasconfirmed to bind their fingerprint authentication to PayPal account,cryptographic keys are exchanged between the FIDO Client and PayPalCredential Management Service.

At the end of the exchange, theFIDO Client has a unique identifier for the user and a user-friendlydisplay name, which is their primary email address. At PayPal, a uniquepublic key, provided by the FIDO Client (after cryptographicverification) along with the unique identifier for the user and devicefingerprints are maintained. During authentication the proof of privatekey, user’s unique identifier, and device fingerprints must match.

Single sign-on
Acommon problem we face is that end users have to log in to PayPalmultiple times in order to make purchases across several merchantapplications on their device. With fingerprint authentication on theGalaxy S5 and PayPal Authenticator you have the option of remaininglogged in to PayPal and we will let you shop and pay for a certainamount of time before you need to authenticate again.

This meansusers can shop on multiple websites and not have to continuously login. A user is remembered on the device, making it simpler to just swipe afinger for authentication, or to enter password or PIN if the userprefers.

This is achieved by maintaining an authentication token (called id_token )in PayPal Authenticator and using it to obtain an access token forindividual apps. So as long as the authentication token is valid, theuser does not have to re-authenticate. Here we have extended OAuth and OpenID Connect protocols for device verification, reusing the concepts of access token and id_token.

You can see these interactions in Step 4 of the diagram. We wanted to make sure the user has complete controlover this experience. They can turn off keep-me-logged-in, in which casethe id_token would not be returned.

Security is the primaryfocus. The id_token has a short timeout interval which gets invalidatedwhen the user authenticates from another device, or if the deviceverification fails during the exchange for an access token. Similarlythe issued access token has a short timeout feature and is scoped for aspecific application with limited permissions. These tokens areabstracted from application developers by PayPal’s mobile SDK, whichprovides simple APIs to process payments that hide these complexities.

In addition to access token and id_token to support “remember me,” the concept of refresh token is utilized, and the same is returned after successful authentication in Step 4 . Using refresh token, following the OAuth spec on refresh_token grant type request, an access token for an app can be obtained. We’ve limitedthese scopes to simple permissions like managing coupons, shop-list,etc. We see these permissions growing in the future, depending on deviceverification technologies and users’ opt-in options. The refresh tokenis also abstracted from the application developers by our mobile SDK.

Processing payments
UsingPayPal’s mobile SDK integration with Android’s Account Manager forauthentication tokens, we can help Partner and Merchant Androidapplications to seamlessly process payments and access other PayPalservices. The complexities of calling Account Manager and managingtokens are abstracted by the mobile SDK. In the code below, here’s aglimpse of what you call in our mobile SDK to get the tokens to enablefingerprint authentication.

This is sample code to process a one-time payment.

public void onBuyPressed(View pressed) {
  // PAYMENT_INTENT_SALE will cause the payment to complete immediately.
  // Change PAYMENT_INTENT_SALE to PAYMENT_INTENT_AUTHORIZE to only authorize payment and
  // capture funds later.
  PayPalPayment payment = new PayPalPayment(new BigDecimal(“1.75”), “USD”, “hipster jeans”,
  Intent intent = new Intent(this, PaymentActivity.class);
  intent.putExtra(PaymentActivity.EXTRA_PAYMENT, payment);
  startActivityForResult(intent, 0);

Forthe application developer, the fingerprint authentication andsingle-sign-on should work seamlessly provided the right version of themobile SDK is bundled with the app. No additional calls or setup isrequired to enable this feature. But the user does have the control toenable/disable fingerprint authentication and to remain authenticatedfor single-sign-on to multiple apps.

Biometrics technologies aregoing to become more common in our everyday lives. We’re going to beposting a series on working with fingerprint authentication, exploringtopics like web browser integration to customizable login display overthe next few months.

Aravindan Ranganathan, Ph.D. , issenior member of the technical staff at PayPal, where his responsibilityis as the Identity Architect working on authentication andauthorization services at PayPal. Currently he is working on enhancingPayPal's authentication mechanisms for biometric and 2-factorauthentication. With experience in identity federation, API security,and web access management he has been active in the OAuth, OpenIDConnect, and SAML protocols specifications, and Identity Managementstandards in general. Previously Aravindan was at Sun Microsystems asIdentity Architect and worked on the development of OpenSSO.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.