Secure and simpler authentication
A next-generation of ubiquitous, phishing-resistant, strong authentication to protect the digital identity of internet users worldwide.
"Microsoft has been a preeminent advocate of FIDO Alliance's mission to move the world beyond passwords."
Why biometric-based FIDO2 Security Keys
are preferable passwordless login solution
to a non-biometric key?
Ensurity's ThinC-AUTH is a privacy & security enabler and is ultra-secure hardware-based Security Key for online identity & authentication with onboard 360° Fingerprint touch sensor.
Configurable Security Key
Strong Security Architecture
Single Key for hundreds of services
ThinC-AUTH Biometric Security Key
Security AlgorithmECDSA, SHA256, AES, HMAC, ECDH
Working CurrentStandby: 80mA
Working Temperature(-10°C to 45°C)
Storage Temperature(-20°C to 70°C)
LED Lights2 multi-color LEDs
Fingerprint Module in ThinC-AUTH
Image Pixel160 x 160 pixels with 8-bit depth
Fingerprint SensorCapacitive 360° Touch Fingerprint Sensor with Ultra-low power consumption
Sensor ProtectionIntegrated conductive bezel
Sensor QualitySuperior 3D image quality
Server Service LifeMore than 200k times
Storage5 fingerprint templates
False Accept Rate<0.001%
False Reject Rate<1%
Recognition Time<0.6s (for 120 finger points)
ESD rangeIEC61000-4-2, level X, air discharge (±30 kV)
Passwordless improves security
In a traditional authentication, the user types in his credentials on the device/browser then the browser sends those credentials to the server for user verification. However, that’s not the case for passwordless authentication where no password is sent over the internet.
Only the assertion generated by the authenticator is sent to the Relying Party (server) and the authentication is done on the authenticator level using the biometrics on the ThinC-AUTH Security Key. From a security perspective, the user credentials can’t be technically leaked or brute-forced since there’s no password to compromise. For biometrics, only the templates are registered, which are encrypted and stored within the Security Key and will not be accessible for external usage. This user-friendly process drastically reduces the risks associated with human error in cybersecurity.
Inadequacy of passwords
How many times are you unable to use digital applications because you’ve forgotten your password? From dozens of passwords for everything from social media sites to shopping, company, and productivity-related platforms like Github, a large part of our day is spent dealing with passwords.
Recent research delving into passwords found that an alarming 78% of respondents use an insecure method to help remember their password, with 34% admitting to using the same password for multiple accounts.
Poor password hygiene presents a significant security risk for organizations. According to the 2019 Verizon Data Breach Investigations Report, 80% of hacking-related breaches involve compromised or weak credentials, while 29 per cent of all breaches involved the use of stolen credentials. The consequences of a breach can be catastrophic, with the average cost of a stolen record $148, and the total cost incurred from a data breach averaging at $3.86m - far from small numbers. Despite this, 65% of organizations do not even check employee credentials against common password lists.
Securing WWW with password-free authentication
Overcoming the reliance on passwords is not going to happen overnight, but with technological advancements, such as FIDO2, there is finally encouragement for a passwordless future.
FIDO2 is a phishing proof, passwordless authentication protocol developed as a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) , and the main goal of this project was to create a strong authentication standard for the web. In March 2019, W3C announced that WebAuthn is now the official web standard for password-free login. At its core, FIDO2 consists of a mixture between the W3C WebAuthn standard and the FIDO Client to Authenticator Protocol (CTAP).
How does FIDO2 work?
There are three major players in the FIDO2 Workflow:
The WebAuthn Relying Party (The website we’re authenticating to)
The client or the browser who will play the role of the middleman
The FIDO2 Authenticator (ThinC-AUTH Biometric Security Key)
Here’s how it generally works:
Registration would be enrolling a new Security Key to your account for future use and authentication would be using that Key to prove your identity.
User sets a PIN and enrol fingerprints to ThinC-AUTH. Setup is inbuilt in Windows 10 Ver 1903. For other Operating Systems, User can download a ThinC Tool from www.ensurity.com website.
User visits the FIDO2 enabled website and enables two-factor authentication and configures 2FA with FIDO2 Security Key.
For the login process, User visits the website and clicks on the login button.
The server generates a challenge and sends the browser a list of credentials that are registered to the user. It also contains information on the authenticator device (for example whether the device connects over USB or BLE, etc.)
Browser asks the authenticator to sign the challenge.
Authenticator requests the user to tap on its biometrics 360° touch sensor to verify.
A signed assertion is created using the private key and is sent to the relying party for verification.
The relying party verifies that the assertion contains the expected source and challenge and if everything is validated it, the authentication will be successful. If not, it will be prevented as it will be considered a phishing attack.
- Enroll your fingerprints to the device. You can either use the built-in configuration tool in Windows 10 Rel 1903 or you can download a configuration tool from Ensurity website — https://thinc.ensurity.com/#downloads.
- Register your ThinC-AUTH Security Key with the account you want to secure. Or activate the device by registering with ThinC-AUTH tool or Windows 10 Ver 1903.
- Whenever you sign-in to your web account or Windows PC, simply insert the security key into a USB port, and when prompted and tap on the fingerprint sensor with your registered finger to complete the authentication.
- For FIDO U2F services, the device supports unlimited registrations.
- For FIDO2 services, device supports unlimited FIDO2 registrations with non-resident keys and up to 30 for FIDO2 services requiring Resident key.
- Once the user has registered fingerprints using tool the device can now operate independently or independent with the Websites/FIDO Services.
- The Device works with FIDO services without requiring tool.
ThinC-AUTH offers the most secure and cost-effective identity solution for enterprises. ThinC-AUTH features biometric based FIDO2 tokenization for IAM. Ensurity believes that a biometric-based FIDO2 solution is not only more secure, but also cost-effective in full life cycle. Let us examine the strong rationale for biometric based FIDO2 hard tokens.
A FIDO or FIDO2 hard authentication token without biometrics merely authenticates the holder of the hard token at the time of authentication; it does not necessarily authenticate the original token owner. If a token is lost or misappropriated, it can be used to easily impersonate. To mitigate this risk, FIDO2 tokens without biometrics opt for an additional PIN option. When the token is misappropriated, access could be protected since the PIN is not known the mala fide holder.
There are two key risks with the PIN option:
- PINs can be hacked by using well known methods like keylogging or screen reading. Since the user enters PIN on the host PC, it is not secure and can be misappropriate. In our case the Pin is used only in the rare case that the Biometrics don’t work – rare because we encourage a user to enroll multiple fingers.
- A denial of access attack can happen if the PIN is reset by a hacker without the knowledge of the token owner. In this the token owner may still own the key but can’t access.
- Further, it should be noted that the token owner sets the PIN (not the enterprise), and hence attribution is badly missing. Let us see why attribution is important for enterprise use cases.When an enterprise issues a hard token (without biometric) to its employee, the employee ends up setting the PIN – the PIN is stored on the device and not known to the enterprise. Now the employee could act maliciously with the token. When the enterprise would like to attribute the malicious intent to the employee, the employee could simply claim that the hard token has been used by someone else or lost and the PIN has been hacked or reset. The enterprise can’t complete the attribution in this case.
If enterprises would like to avoid the issues with user-controlled PINs and improve security and attribution, they need additional methods like password or PIM managers. While this could solve the security and attribution problems, the extra cost of external password or PIM managers is a significant burden.
It makes better sense to deploy biometric authenticated FIDO2 tokens like ThinC-AUTH, since this avoids the additional cost of password and PIM managers. The cost of a FIDO2 non-biometric token + Password/PIM manager exceeds biometric authenticated FIDO2 token like ThinC-AUTH by 2x to 3x over a 3-year period in our opinion.
We strongly recommend a biometric based FIDO2 hard token as the ideal solution over long run for not only fool-proof identity & access, but also for its cost savings over the life cycle.