Passwords are the default identity verification method on the Internet, but a wide range of other methods such as dynamic tokens, SMS verification codes, and biometric authentication have emerged, as awareness of password theft has grown among both developers and users. This article discusses the security risks associated with several common identity verification methods, and provides developers with a better solution.
Security risks of common identity verification methods are as follows:
- Traditional account and password verification (static password)
This is the most common identity verification method, but not the most secure.
Since the account and password are created for convenience, users tend to use passwords that are easy to remember, such as letters and digits of personal significance, phone numbers, or birthdays. Such passwords are vulnerable to brute-force cracking.
Users will tend to also use the same accounts and passwords on multiple platforms. After stealing a user's password, the hacker can initiate credential stuffing attacks.
Hackers steal user accounts and passwords through a range of illegal methods, such as phishing, which involves setting up a spoofed website (such as a shopping link, transfer page, or official bank website), and sending the link of the spoofed website to users. When a user opens the link and enters their account name and password, the spoofed website records and sends the account name and password to the hacker.
- Verification code (dynamic password)
If there is a malicious app which has permission to read SMS messages and call records on the user device, the app may read the verification code from the SMS message without being noticed by the user, thereby stealing the user's identity.
- Dynamic token (dynamic password)
Organizations usually have their own dynamic token systems, which are incompatible with each other. As a result, users usually need to carry around multiple devices, which can be inconvenient.
As you can see, both static password verification and dynamic password verification come with security risks. An ideal security solution would not be password-dependent! Fortunately such a solution exists!
Password-free sign-in idea was first proposed a long time ago. Contrary to what you'd expect, it does not mean that no password is required at all. Rather, it refers to using a new identity verification method to replace the existing password-based verification. HMS Core FIDO used this idea to develop a next-level solution for developers, which incorporates local biometric authentication and fast online identity verification capabilities that can be broadly applied across a wide range of scenarios, such as account sign-in and payments. In addition, the system integrity check and key verification mechanism help ensure the trustworthiness of identity verification results. This entire process is outlined below.
In terms of security, HMS Core FIDO frees users from the hassle of repeatedly entering account names and passwords, so that this information is not vulnerable to leaks or theft.
HMS Core FIDO does not require any secondary verification device. The app can verify user identity with just the components on the device, such as the fingerprint, 3D face, and iris sensors. If the app wants to enhance verification, the user device can be directly used as the security key hardware to complete identity verification, rather than a secondary verification device. HMS Core FIDO supports multiple verification scenarios on a single device, without requiring any additional verification device. This improves the user experience, while also reducing deployment costs for Internet service providers.
What's more, biometric data used for user identity verification is stored only on the user device itself, and can only be accessed after the user device has been unlocked, freeing users from any worry about biometric data leakage from servers.
HMS Core FIDO also helps developers optimize user experience.
HMS Core FIDO was designed with user privacy protection in mind, and thus does not provide Internet platforms with any information that can be used to trace users. When biometric authentication technology is used, user biometric data is stored only on the device itself and never transferred elsewhere. This represents a marked improvement over traditional biometric authentication, which collects and stores user biometric data on servers, which are vulnerable to leakage.
The entire identity verification process has been streamlined as well, sparing users the time and hassle of waiting to receive a verification code and having to enter a password.
Application scenarios for HMS Core FIDO
FIDO technology has been well received by device vendors and Internet service providers, such as large financial institutions and government network platforms. The technology has been broadly applied in financial transaction scenarios that have high security requirements, such as purchase payment in apps or on e-commerce platforms, digital currency transfers, and high-value transactions in mobile banking apps. Apps will be able to detect whether the user device supports HMS Core FIDO during user sign-in. If yes, it can prompt the user to enable sign-in via fingerprint or 3D facial recognition, which the user can subsequently use to sign in to the app all future times.
HMS Core FIDO provides global developers with open capabilities that are based on the FIDO specifications, and help Internet service providers make identity verification more streamlined and secure. FIDO, which stands for Fast Identity Online, is a set of identity verification framework protocols proposed by the FIDO Alliance. It utilizes standard public key cryptography technology to offer more powerful identity verification methods.
Visit the HMS Core FIDO official website to view the development documentation and experience these next-level identity verification capabilities for yourself.
Top comments (0)