1. Startseite
  2. Blog
  3. Using biometrics for authentication in Android
September 18, 2020

Using biometrics for authentication in Android

Joel Snyder

Mobile device users are now favoring biometric authentication such as fingerprint sensors to unlock their smartphones and tablets, mainly because they speed and simplify the unlocking process while reducing the cognitive burden of remembering multiple long passwords.

Additionally, proper use of biometrics increases security: passwords are easy to steal, while faking biometrics is much more difficult. The result is a technology that is ideal for providing role-based access controls and high levels of trust for business users.

Here’s a detailed look at how biometrics work, how data encryption fits in, and what business leaders should look for to keep security high while delivering the convenience that users want. How exactly do all of the elements of biometrics come together in Android to provide a heightened security offering?

 

How biometrics work

The first step to understanding biometrics is to realize the biometrics are not being saved in the network or passed around between devices and servers. Instead, biometrics are used to lock up and protect other authentication information — usually a digital certificate private key — and it’s the “protected” information that is actually being used to authenticate the user.

Android v6 (“Marshmallow”) introduced a standardized API for biometrics, focusing on fingerprint readers. Companies looking to leverage biometrics as part of authentication can depend on having a common set of services, a high level of security, and a consistent user experience across platforms.

The key requirement in Android is that fingerprint biometrics have to be stored in the Trusted Execution Environment (TEE). This means that the biometric information is encrypted and stored in a separate part of the smartphone, completely inaccessible to the regular operating system. They can’t even be exported. Android can ask the TEE to validate an identity using biometrics, but cannot extract the biometric information. This means that when the user stores their biometric information, such as a fingerprint, they are not sharing that information outside of their own smartphone or tablet. They are just establishing a way to identify themselves to their device.

 

Implementing biometrics in the enterprise

Using fingerprints to authenticate the user to their own phone is just one use of biometrics. Companies can think beyond unlock screens for their employees. For example, some types of password vaults can be unlocked with biometrics, simplifying the process and encouraging their use.

An even more advanced use combines the TEE, biometrics, and application-specific authentication information to give users the experience of using their fingerprint to log onto online services. The FIDO (Fast Identification Online) Alliance has developed a standard to optimize exactly that: converting biometric authentication of an end-user to application-friendly user authentication. Android 7.0 (“Nougat”) is certified as compatible with FIDO2, which means that most Android devices are ready, out of the box or with a quick software update, to use biometrics (or other FIDO-compatible security hardware) to eliminate the use of passwords for many websites and applications.

While Android, the client, is important, it’s even more critical that FIDO Alliance’s FIDO2 protocols are supported by online services and browsers. Major vendors, including Google, Dropbox, Facebook, Paypal, Salesforce, Bitbucket and GitHub, and major browsers such as Google Chrome, all support FIDO2.

Samsung Pass is an example of a service that is based on the FIDO specifications. Samsung Pass enables strong authentication across applications using biometrics combined with a cloud-based service provided by Samsung. With Samsung Pass, smartphone users can lock up multiple sets of authentication credentials (from both public and private enterprise services) with their fingerprint, facial recognition or iris scan. Samsung Pass simplifies the user experience, but uses highly secure authentication systems based on digital certificates so that end users can keep their strong authentication credentials locked up with biometrics, reduce their use of insecure passwords, and speed authentication to applications.

 

Advancing and evaluating biometric technology

Of course, fingerprints are only the first biometric that came to smartphones. Vendors such as Samsung have added other biometrics such as face and iris scanning to their devices.

For iris scanning, Samsung smartphones like the Galaxy S9 and Note9 made use of a separate infrared camera and “flash” for the iris that is only connected to the TrustZone-based TEE. This eliminates the possibility that untrusted software can grab an iris scan. The scans are processed by a trusted application in the TEE, and only the processed hash of the scan is stored, eliminating the possibility that the raw data can be extracted by any software running outside of the TEE.

Fingerprint readers are getting their own innovations too. For example, Samsung’s Galaxy S10, Note10 and S20 series include an ultrasonic fingerprint sensor. Built into the display, the sensor detects the ridges and valleys of the fingerprint directly through the glass by bouncing off ultrasonic pulses. This new style of reader is fast and popular with users, because they no longer have to find the capacitive sensor on the back.

 

Addressing standards

Businesses with BYOD or CYOD policies should carefully evaluate biometrics on Android smartphones when choosing vendors and technologies. This will help reduce the risk of introducing the kinds of security vulnerabilities that came with the initial implementations of fingerprint readers. Following standards such as FIDO’s U2F will help reduce the risk of insecure implementation.

When enabling newer biometrics, look for a clear statement from the manufacturer on how the data is stored and verified. Data should be stored in an encrypted or hashed format eliminating the possibility of decryption, even by privileged applications.

Android devices should make use of specialized hardware and TEE with live biometric data, to ensure that malware can’t tamper with the data or interfere with the process, creating safer options for businesses interested in top security measures for their growing workforce.

 

Learn more about how Samsung mobile devices are Secured by Knox. And read about businesses that are succeeding with Knox solutions.

Dies könnte Ihnen auch gefallen:
ZUM BLOG →
Knox for Business
Get to know the Knox Asset Intelligence Security Center
We are excited to announce the official launch of our Knox Asset Intelligence Security Center for all Samsung Knox customers.
April 9, 2024
News
Making license registration easier for Knox customers
If you’re a Knox customer, the days where you have to manually enter license keys in your Knox Admin Portal have come to an end.
April 8, 2024
Product Updates
Knox cloud service 24.04 release
Learn more about the latest features in the latest Knox cloud service release.
April 5, 2024
[Icon] schließen

Erste Schritte mit Samsung Knox

[Icon] Koffer
Sind Sie Fachhändler, Lösungsanbieter oder Serviceanbieter?

Werden Sie Knox Partner und bauen Sie Ihr Geschäft noch heute aus.

[Icon] Info

Wählen Sie ein Knox-Produkt aus, mit dem Sie beginnen möchten:

Paket-Komplettlösung
Knox Suite
Rebranding und Anpassung
Knox Configure
Schutz vor Betrug und Diebstahl
Knox Guard
Geräteschutz-Tarif
Samsung Care+ for Business
Sonstige Produkte und Leistungen

Erste Schritte mit

[Image] Knox Suite

Komplettlösung für Unternehmensmobilität.

  • Sichern Sie sich eine kostenlose 90-Tage-Testversion für bis zu 30 Geräte.
  • Eine vollständige Auswahl an Tools für die Sicherung, Bereitstellung, Verwaltung und Analyse der Geräte Ihres Unternehmens.
  • Testen Sie die leistungsstarken Funktionen der Knox Suite.

Knox Suite umfasst:

Knox Mobile Enrollment Kostenlos
Knox Manage
Knox E-FOTA
Knox Asset Intelligence
Knox Platform for Enterprise Kostenlos
Fernsupport für Knox
Knox Capture
Knox Authentication Manager

Erste Schritte mit

[Image] Knox Configure-Logo

Umbenennen und Anpassen Ihrer Samsung Geräte.

  • Sichern Sie sich eine kostenlose 90-Tage-Testversion für bis zu 30 Geräte.
  • Konfigurieren Sie mehrere Samsung Geräte gleichzeitig per Fernzugriff und passen sie die Geräte an Ihre persönlichen Bedürfnisse, damit sie sofort einsatzbereit sind.
  • Richten Sie Ihre Geräte für eine einmalige Bereitstellung ein, oder aktualisieren Sie sie so oft Sie möchten.

Erste Schritte mit

[Icon] Knox Guard-Logo

Betrugs- und Diebstahlschutz für Samsung Geräte.

  • Sichern Sie sich eine kostenlose 90-Tage-Testversion für bis zu 30 Geräte.
  • Geringere finanzielle Risiken und Schutz Ihrer Vermögenswerte durch Fernsteuerung von Samsung Geräten.
  • Testen Sie alle Funktionen von Knox Guard, einschließlich der SIM-Steuerung oder der Gerätesperrung.

Erste Schritte mit

[Image] Samsung Care Plus For Business-Logo

Geräteschutz-Tarife für Ihre Geräte von Samsung.

  • Verringern Sie Betriebsunterbrechungen mit schnellen Reparaturen und Austausch von Geräten. Wenden Sie sich zum Durchstarten an das Samsung Vertriebsteam.
  • Alle Informationen über die Abdeckung und Ihre Ansprüche an einem zentralen Ort einsehen.
  • Sie haben Samsung Care+ for Business bereits gekauft? Erstellen Sie ein Konto und aktivieren Sie einen Tarif über die Samsung Care+ for Business-Konsole.

Sonstige Produkte und Leistungen

[Image] Sonstige Logos

Moderne Lösungen für Ihre individuellen Ansprüche.

  • Profitieren Sie von effizientem technischen Support durch einen fest zugeordneten Kundenbetreuer mit Enterprise Tech Support.
  • Erstellen Sie maßgeschneiderte Geräte für Ihr Unternehmen mit dem Samsung Software Customization Service.
VERTRIEB KONTAKTIEREN