Biometric tokenization
Biometric tokenization is the process of substituting a stored
Biometric tokenization in particular builds upon the longstanding practice of tokenization for sequestering secrets in this manner by having the secret, such as user credentials like usernames and passwords or other
The technology is most closely associated with authentication to online applications such as those running on desktop computers, mobile devices, and Internet of Things (IoT) nodes. Specific use cases include secure login, payments, physical access, management of
Origins
With the September 9, 2014 launch of its Apple Pay service,[1] Cupertino, Calif.-based Apple, Inc. initiated the conversation surrounding use biometricsupported tokenization of payment data for point of sale retail transactions. Apple Pay tokenizes mobile users’ virtualized bank card data in order to wirelessly transmit a payment, represented as a token, to participating retailers that support Apple Pay (e.g. through partnerships and supported hardware). Apple Pay leverages its proprietary Touch ID fingerprint scanner on its proprietary iPhone line with, aside from cryptography, the added security of its Apple A7 system on a chip that includes a Secure Enclave hardware feature that stores and protects the data from the Touch ID fingerprint sensor. Apple Pay then, at least for payments, is credited with innovating in the space of biometric tokenization even if the use case was limited to payment convenience and security, restricted to the company’s own hardware and software, and despite the fact that executives did not publicly utter the phrase “biometric tokenization” or speak about the underlying technology.
While biometric tokenization and Apple Pay are similar, biometric tokenization as it is known today and particularly using the term verbatim is an authentication feature that goes beyond payment convenience and security. Other distinctive features are that biometric tokenization can be implemented on other operating systems such as OSX, Microsoft Windows, Google Android for password-less login to desktop and mobile applications.
Mechanics
Biometric tokenization like its non-biometric counterpart, tokenization, utilizes
Biometric tokenization champions typically prefer biometric templates to be encrypted and stored in TEEs or TPMs so as to prevent large-scale data breaches such as the June 2015 U.S. Office of Personnel Management one. Biometric tokenization when aided by on-device storage of user data also can preserve internet privacy because user data are stored individually inside single devices rather than aggregated on ostensibly vulnerable servers. Moving biometric user credentials either for two-factor authentication or unqualified authentication, for example, off of servers and onto devices is a tenet of the Fast Identity Online (FIDO) Alliance,[2] an industry consortium concerned with replacing passwords with decentralized biometrics.
The next step in biometric tokenization after the unlocking of user credentials in the trusted area of their device is for the credentials to be tokenized, with the token containing the precise data required for the action (e.g. login or payment). This
Information Security
In order to achieve the highest level of privacy and protection when calculating and transmitting sensitive information, biometric tokenization leverages existing encryption algorithms, authentication protocols, as well as hardware trust zones. Combining some or all of these methods maximizes the level of protection needed to uphold the integrity of the process and security of data that could otherwise expose users to a breach of trust on a mass scale.
Encryption Algorithms in Use
- ECDSA
- RSA
- ange
- White-box cryptography[3]
- Software Obfuscation
Authentication Protocols in Use
- Universal 2nd Factor (U2F)
- Universal Authentication Framework (UAF)[4]
- Temporary OTP
Hardware Trust Zones in Use
- Trusted Execution Environment
- ARM TrustZone[5]
- Secure Enclave[6]
References
- ^ "Apple - Press Info - Apple Announces Apple Pay". www.apple.com. Retrieved 2016-08-15.
- ^ "FIDO Alliance". fidoalliance.org. Retrieved 2016-08-15.
- ^ "White-box cryptography". www.whiteboxcrypto.com. Retrieved 2016-08-15.
- ^ "FIDO Alliance » Specifications Overview". fidoalliance.org. Retrieved 2016-08-15.
- ^ "TrustZone - ARM". www.arm.com. Retrieved 2016-08-15.
- ^ "Secure enclave" (PDF).