Lunar New Year is a time for celebration for many people around the world, but it’s also a good opportunity for scammers who are always trying to entice victims to grab the next cheap online shopping deal. A common technique that scammers use is to lure a victim into installing a malware app that can then be used to phish user’s credentials, capture SMS OTPs, or even remotely control the phone to perform banking transactions.
FIDO2 passkeys are designed for anti-phishing and they are a good replacement for passwords and SMS OTPs. This next-generation FIDO implementation provides much more convenience to users than traditional hardware token-based FIDO authenticators as the phone itself can now be used as the authenticator. With FIDO cross-device authentication, the user can also conveniently use his phone as authenticator to login to Web applications on his laptop.
However, most implementations store the FIDO private key in the Keystore/Keychain, which may not be deemed secure enough, especially if the keys are not stored in a Trusted Execution Environment (TEE). Even if the phone has a TEE (such as Secure Enclave), there is a general flaw in the architectural design which hackers can exploit. We call this design flaw the Trust Gap because the TEE has no way of determining the identity of the app and relies on the OS to do so. If the OS is compromised, the keys in the TEE can also be misused. This is an insidious and sophisticated attack as the targeted app does not even need to be running or be tampered with to be compromised.
Some passkey implementations also synchronize the authentication private key to the cloud, so that the user can restore his keys when he logs in to a new phone. This means that the security of these passkeys becomes equivalent to the security of the phone manufacturer’s ID (e.g., Apple ID, Google Account, Samsung Account) since anyone who takes over the ID would have access to all the passkeys of the user. Financial institutions cannot accept that banking authentication security becomes reduced to the security of phone manufacturer’s ID. Neither will phone manufacturers accept any liability due to security breaches.
V-Key ID’s implementation of FIDO passkeys uses the V-OS Virtual Secure Element to protect private keys. V-OS is like a virtual TEE that provides a secure environment for cryptographic keys. Unlike the phone’s TEE, V-OS is not vulnerable to the Trust Gap issue because of how it is tightly bound to the app and its ability to scan for app tampering and runtime attacks. With V-Key ID, the V-OS protected passkeys also do not need to be synchronized to the cloud as fresh keys can be created when the user logs in with his face to a new device. This unique combination of privacy-enabled facial biometrics and a secure passkey vault (V-OS) positions V-Key ID well as the future of mobile authentication.
As we move into the Lunar New Year, it’s an ideal time to strengthen your security measures and protect your business from online threats. Wishing you a prosperous and secure Year of the Snake ahead.