The other category of multi-factor authentication is biometrics, which has gained in popularity in recent years, especially in mobile devices. Biometric authentication is the process of using unique physiological characteristics of an individual to identify them. By confirming the biometric signature, the individual is authenticated. A very common use of this in mobile devices, is fingerprint scanners to unlock phone. This works by registering your fingerprints first using an optical sensor that captures images of the unique pattern of your fingerprint. Much like how passwords should never be stored in plain text, biometric data used for authentication, so it also never be stored directly. This is even more important for handling biometric data. Unlike passwords, biometrics are an inherent part of who someone is, so there are privacy implications to theft or leaks of biometric data. Biometric characteristics can also be super difficult to change in the event that they're compromised, unlike passwords. So instead of storing the fingerprint data directly, the data is run through a hashing algorithm, and the resulting unique hash is stored. One advantage of biometric authentication over knowledge or token based systems, is that it's more reliable to identifying individual for authentication since biometric features aren't usually shareable. For example, you can't give your friend your fingerprints so that they can log in as you, well, you would hope not, anyway. But as schools start to introduce fingerprint-based attendance recording systems, students are finding ways to trick the system. They're creating fake fingerprints using things like glue allowing friends to mark each other as present if they're late or if they skip school. This is harder to achieve than sharing a password but it's sort of ingenious of these kids to think up. They really go the extra mile to skip school these days, not that I'm condoning this behavior. Other biometric systems use features like iris scans, facial recognition, gate detection and even voice. Microsoft developed the biometric authentication system for Windows 10 called Windows Hello, which supports fingerprint identification, iris identification and facial recognition. It uses two cameras, one for color and one for infrared, which allows for depth detection. This way it's not possible to trick the system using a print out of an authorized user's face. An evolution of physical tokens, is the U2F or universal second factor, it's a standard developed jointly by Google, Yubico, and NXP Semiconductors. The finalized standard for U2F are being hosted by the FIDO Alliance. U2F incorporates a challenge response mechanism along with public key cryptography to implement a more secure and more convenient second factor authentication solution. U2F tokens are referred to as security keys and are available from a range of manufacturers. Security keys are essentially small embedded crypto processors that have secure storage of asymmetric keys, and additional slots to run embedded code. Let's do a quick rundown on how exactly security keys work and how their improvement over an OTP solution. The first step is registration, since the security key must be registered with a site or service. At registration time, the security key generates a private public key pair unique to that site and submits the public key to the site for registration, it also binds the identity of the site with the key pair. The reason for unique key pairs for each site is for privacy reason. if a site is compromised, this prevents cross referencing registered public keys and discovering commonalities between sites based on registration data. Once registered with the site, the next time you're prompted to authenticate, you'll be prompted for your user name and password as usual. But afterwards you'll be prompted to tap your security key. When you physically tap the security key, it's a small check for user presence to ensure malware can't authenticate on your behalf without your knowledge. This tap will unlock the private keys stored in the security key which is used to authenticate. The authentication happens as a challenge response process which protects against replay attacks. This is because the authentication session can't be used again later by an eavesdropper, because the challenge and resulting response will be different with every authentication session. What happens is the site generates a challenge, essentially some randomized data, and sends this to the client that's attempting to authenticate. The client will then select the private key matching this site, and use this key to sign the challenge, and send the signed data back. The site can now verify the signature using the public key that was registered earlier, if the signature checks out, the user is authenticated. From a security perspective, this is a much more secure design than OTPs. This is because the authentication flow is protected from phishing attacks given the interactive nature of the process. Security keys are also resistant to cloning or forgery because they have unique embedded secrets on them and are protected from tampering. From the convenience perspective, this is a much nicer authentication flow compared to OTPs, since the user doesn't have to manually transcribe a string of numbers into the authentication dialog. All they have to do is tap their security key, nice and easy. As an IT support specialist, you may come across multi-factor authentication setups that you'd be responsible for supporting, you might even be tasked with helping to implement one. So it's important to understand how they provide enhanced account protection along with the options that are available.
