Anyone with a recent iPhone, Galaxy, or Nexus device already knows the benefits of a fast, readily-available fingerprint sensor. I love my iPhone 6S Plus if only for the fact that I no longer have to waste precious time typing in a PIN to unlock the device. Touch ID also makes buying apps on the App Store and buying groceries with Apple Pay a one-touch process.
Move back to PCs, though, and authentication turns into a nightmarish problem. In an ideal world, we’d all use password managers with unique, complex credentials for every one of our online accounts. The reality is far less than ideal. Many sites still place unsafe restrictions on the length and contents of passwords. Instead of password managers, people use Post-Its or text files on a USB drive. Every year, the most popular passwords revealed in data breaches include laughably weak phrases like “1234567” or “password.” Phishing attacks can still catch the uninformed off-guard.
The FIDO Alliance (from Fast IDentity Online) is proposing a couple ways forward from the quagmire of plain old usernames and passwords. FIDO is a growing standards organization that already counts heavyweights like Microsoft, Lenovo, PayPal, Samsung, Visa, MasterCard, and Bank of America among its members.
Synaptics is also a member of FIDO, and it’s providing one solution for collecting that biometric information in the first place. If you’re using a Windows laptop with a touchpad, chances are you’re already familiar with Synaptics products. A couple weeks ago, we met with the company at CES and got an early look at IronVeil, the company’s fingerprint-sensing solution for the desktop.
IronVeil is a 4-mm by 10-mm sensor that could conceivably be incorporated into a range of devices. Our first look at the sensor comes by way of a pre-production Thermaltake Black V2 gaming mouse. Synaptics says the sensor completes the data acquisition and matching process in under 200 milliseconds, but all that really matters is that it feels as fast as Touch ID in use. Put your thumb on the sensor and Windows Hello logs you in with only the slightest delay. I found it far easier to use the Black V2 than typing my complex password from memory.
While putting the fingerprint sensor on a mouse is certainly a natural place to start, I hope Synaptics will work with peripheral manufacturers to encourage broader adoption of the technology on other devices, like keyboards. The company had a Corsair K70 on display at its CES booth with a similar fingerprint sensor built in, and that feels like a more natural place for this technology.
Gamers are already particular about the weight and balance of their mice, and despite its many benefits, a fingerprint sensor is extra weight that has to be pushed around. The mouse may be the most natural place for the thumb to rest, but if a user wants to register extra fingers, it’s a bit awkward to press the bottom of an index finger to the side of the mouse.
Synaptics thinks gamers will benefit from having a fingerprint sensor on board the mouse, though. The company envisions a future where common e-sports titles and online multiplayer games will use the sensor as a tool to verify that the player behind the screen is, in fact, the owner of the account. That prevents “smurfing,” where a player signs in on an account that’s not their own. It also makes e-sports betting more trustworthy by ensuring that a match isn’t somehow rigged.
For folks who want to get on board the IronVeil train, a version of the Black V2 we tested will be available in the first half of the year for about $60.
Windows 10, FIDO, and Passport
The foundation of FIDO on Windows is a Windows 10 feature called Passport. Passport can be used to implement multi-factor, password-free authentication with Active Directory, Azure Active Directory, Microsoft Accounts, or FIDO. If you’ve used Windows Hello to set up a PIN or other biometric factors like fingerprint recognition, that information is being stored with Passport.
The two main FIDO protocols are the Universal Authentication Framework (UAF) and Universal Second Factor (U2F). Put briefly, UAF provides a password-free experience like Touch ID with biometric devices, while U2F can use a number of inputs as a second factor alongside traditional usernames and passwords. A biometric signature like a user’s face or fingerprint can serve as one of those second factors.
There’s reason to hope that FIDO and Passport will become widely adopted. These technologies make large-scale thefts of user credentials from corporate information systems less appealing by doing away with passwords entirely (in the case of FIDO UAF and Passport) or making them less useful (in the case of FIDO U2F).
While client systems are, in theory, more vulnerable to attack, no images or raw biometric information are stored on the client side with either framework, and derived biometric signatures are kept encrypted on a Trusted Platform Module or in software.
FIDO and Passport also don’t exchange credentials over the network. When a user needs to authenticate with services like Active Directory, for example, these protocols rely on asymmetric cryptographic methods and tokens rather than user credentials. FIDO uses a similar principle for its information exchange. All verification is performed on the client side, making man-in-the-middle attacks more difficult.
Passport can be implemented within a business more or less at a system administrator’s discretion, but FIDO still seems like it has a ways to go before it’s widely adopted. Windows Hello and Passport are important pieces of the puzzle, though, and browsers like Google Chrome already have support for FIDO U2F built-in.
If manufacturers begin incorporating IronVeil (and other biometrics tech) into their peripherals, however, more consumer-facing organizations will likely begin building the necessary back-end infrastructure needed to make the FIDO protocol work. Let’s hope these are the first steps to a less password-reliant future.