Why biometric-based FIDO2 Security Keys are preferable passwordless login solution to a non-biometric key?
ThinC-AUTH offers the most secure and cost-effective identity solution for enterprises. ThinC-AUTH features biometric based FIDO2 tokenization for IAM. Ensurity believes that a biometric-based FIDO2 solution is not only more secure, but also cost-effective in full life cycle. Let us examine the strong rationale for biometric based FIDO2 hard tokens.
A FIDO or FIDO2 hard authentication token without biometrics merely authenticates the holder of the hard token at the time of authentication; it does not necessarily authenticate the original token owner. If a token is lost or misappropriated, it can be used to easily impersonate. To mitigate this risk, FIDO2 tokens without biometrics opt for an additional PIN option. When the token is misappropriated, access could be protected since the PIN is not known to the malafide holder.
There are two key risks with the PIN option:
- PINs can be hacked by using well known methods like keylogging or screen reading. Since the user enters PIN on the host PC, it is not secure and can be misappropriate. In our case the Pin is used only in the rare case that the Biometrics don’t work – rare because we encourage a user to enroll multiple fingers.
- A denial of access attack can happen if the PIN is reset by a hacker without the knowledge of the token owner. In this the token owner may still own the key but can’t access.
- Further, it should be noted that the token owner sets the PIN (not the enterprise), and hence attribution is badly missing. Let us see why attribution is important for enterprise use cases.When an enterprise issues a hard token (without biometric) to its employee, the employee ends up setting the PIN – the PIN is stored on the device and not known to the enterprise. Now the employee could act maliciously with the token. When the enterprise would like to attribute the malicious intent to the employee, the employee could simply claim that the hard token has been used by someone else or lost and the PIN has been hacked or reset. The enterprise can’t complete the attribution in this case.
If enterprises would like to avoid the issues with user-controlled PINs and improve security and attribution, they need additional methods like password or PIN managers. While this could solve the security and attribution problems, the extra cost of external password or PIN managers is a significant burden.
It makes better sense to deploy biometric authenticated FIDO2 tokens like ThinC-AUTH, since this avoids the additional cost of password and PIN managers. The cost of a FIDO2 non-biometric token + Password/PIN manager exceeds biometric authenticated FIDO2 token like ThinC-AUTH by 2x to 3x over a 3-year period in our opinion.
We strongly recommend a biometric based FIDO2 hard token as the ideal solution over long run for not only fool-proof identity & access, but also for its cost savings over the life cycle.