How to close the security gap in installing passkeys on mobile devices
The arms race between fraud fighters and hackers continues to intensify. Recently, AWS announced that they are stepping up their security practice by adding passkeys to the list of accepted multi-factor authentication (MFA) methods for root and AWS Identity Access Management (IAM) users.
Fast Identity Online (FIDO) standards-based passkeys have been around for a while but have recently garnered renewed attention in light of rising incidences of data breaches and exposed access credentials. A passkey is an asymmetric key pair (one private and one public) generated for the device when it is registered as a trusted device for accessing digital services, websites, and apps. The private key is stored in the secure enclave of the trusted device, or a password manager; the public key is stored with the enterprise or domain that manages the service.
Because the randomly generated keys are long and complex, and are encrypted and stored securely, they are difficult for attackers to retrieve them, rendering them highly resistant to phishing scams and attacks.
While passkeys are versatile and can be implemented for a wide variety of devices, there is a security gap that should be addressed before pairing the device with the accounts, especially for mobile devices: how to verify that, indeed, this device belongs to the consumer who owns the account(s) that are being accessed. Passkeys are a relatively new technology, so consumer accounts originated long ago using username and passwords should go through a verification process before the device is granted trusted access to the accounts.
This can be easily achieved with Zumigo Assure Authentication when registering mobile devices for passkeys to access native as well as web-hosted apps across different platforms.
Using a mobile phone number, a consumer’s phone possession and ownership can be authenticated and verified to prevent trusting a device that is not in possession or owned by the account owner. Common methods include silent network authentication (SNA), where the mobile phone number is verified passively from its cellular signal with the mobile network operator (MNO) for verification against what’s on file with the network, and one-time passcode (OTP), where a code is sent via SMS text for the user to enter on the app screen.
Zumigo Assure Authentication works as follows:
-
- When a consumer accesses a mobile app for the first time, the consumer signs in with their username and password to verify account credentials.
- The consumer also enters their mobile phone number for Zumigo to authenticate against the mobile carrier assigned phone number and validate ownership, using SNA or OTP
- After verification, the SDK generates an asymmetric key pair. The private key is stored in the secure enclave and the public key, now associated with the verified mobile number, is securely stored by the enterprise.
- Subsequent logins via the same device will use the private asymmetric key stored in the trusted device’s secure enclave and bypass the username/password sign-in process, resulting in a frictionless consumer experience.
In the event of account or device changes, or if the transaction is high-value or high-risk, Zumigo can also orchestrate a document verification (IDV) with a biometric selfie that includes a liveness check for step-up authentication.
In today’s high-risk environment, hackers are always exploiting vulnerabilities that they can find. When we leave security gaps unresolved, any high-security locks can become useless and easy to pick.
Yu-Ting Huang is Sr. Director of Marketing at Zumigo. Comment or question? Find her on LinkedIn.