The present disclosure relates to controlling access to secured functions of applications using biometric authentication of a user. More specifically, but not exclusively, there are described methods of securely providing access to such secured functions and user devices for carrying out such methods.
As user devices such as smartphones, tablets, laptop and desktop computers are increasingly used for sensitive operations such as payments from bank accounts and credit cards, management of financial accounts and confidential communication, means of ensuring only an authorised user can perform such operations are required.
Users are generally required to verify their identity by entering one or more items of remembered information such as a Personal Identification Number (PIN), password, passcode or answer to a security question into a user interface of the user device. However, such items of information can be difficult to remember, difficult to keep secret if recorded and readily guessable if poorly chosen.
Biometrics, the identification of individuals using (effectively) unique physical characteristics such as fingerprints, iris patterns and DNA, can also be used for verification of user identity. Biometric authentication is generally regarded as more secure than authentication with any combination of remembered secret information items since such physical characteristics are much harder to copy and replay than remembered information. Further, the user always carries their biometric authenticators so is relieved of the burden of memorising secret information items.
Biometrics generally involve collecting data relating to a user requesting access to a particular secured activity (such as use of a secured function of a computer application) from a sensor device such as a fingerprint reader or iris scanner, and comparing that data with reference data stored for one or more individuals. If the collected data is determined to match the reference data for an individual who is recorded as being authorised to access a secured activity, then access to that activity can be granted.
FIG. 1 is a schematic of a generic user device 100 with biometric functionality. Only components considered pertinent to the discussion below are shown; it is to be understood that other components typically found in user devices could also be included.
To protect the data captured, a biometric sensor device 110 such as a fingerprint sensor generally either has its own secure environment or is connected to a secure environment of a main processor 120 of a user device as shown in FIG. 1. Such a secure environment is often referred to as a Trusted Execution Environment (TEE) 130, to distinguish it from the regular (non-secure) execution environment of the main processor, often referred to as the Rich Execution Environment (REE) 140. The TEE or its equivalent generally contains a trusted operating system (OS) 131 and one or more trusted applications 132. Similarly, the REE generally contains an OS 141 (for example Android™ or iOS™) and one or more applications 142. The user device could also contain a Secure Element (SE) 150 (for example, a Subscriber Identity Module, SIM, an embedded Secure Element, eSE, or a Secure Digital, SD, card of a mobile telephone). The SE generally contains a secure OS 151 (for example a combination of JavaCard™ and Global Platform™) and one or more secure applications 152 such as cardlets. The user device can also contain other functional and structural features such as, for example, a Near Field Communication (NFC) controller 160 (e.g. for facilitating mobile payment), which could be integrated into the SE, and one or more user interface devices 170 (for example a touchscreen, keyboard, mouse, touchpad or microphone).
An application having one or more secured functions could reside in the REE (as one of applications 142), the SE (as one of applications 152), partially in the REE and partially in the SE (as a combination of one of applications 142 and one of applications 152) or in an external host accessible through a connection with an application on the user device (for example one of applications 142 of the REE). Such an application could be any biometrically authenticated application, for example a mobile payment application for facilitating face-to-face and internet payments from a debit or credit card, a loyalty application for collecting and redeeming loyalty points, or an authentication application for getting access to a service.
The output of the sensor device 101 (or associated logic of a linked trusted application 132) is generally either a single binary bit (yes/no), a percentage or another binary value to indicate confidence level of matching between the biometric data collected from a user and the reference data for an individual authorised to access a secured function the user has requested access to. If the application that provides this secured function resides outside of the TEE however, this output must be passed to said application, at least in the case that the output indicates a positive result: a biometric validation of the user. A single bit message or a binary value expressing a confidence level is very easily spoofed by malicious third parties. Therefore some means of authenticating the origin of the biometric validation is generally provided.
Typically, a secure channel is set up between the trusted application 132 associated with the sensor device 110 and the application 142 or 152 providing access to the user-requested secured function. This can be by any suitable cryptographic technique, for example authenticating the biometric validation with a key known only to those two parties.
However, the TEE is generally not provided by the same entity as the application 142 or 152 providing access to the user-requested secured function and is generally not provided at the same time. The former is generally incorporated into the user device by the manufacturer before it is issued to the user, while the latter is generally an optional add-on which the user purchases from or signs up for with the secured function provider (for example their bank, credit card provider or email provider) at a later date. This situation causes a number of problems with setting up of the secure channel.
Firstly, the channel is vulnerable to man-in-the-middle attacks since, before it can be used, the key must be exchanged between the trusted application 132 associated with the sensor device 101 and the application 142 or 152 providing access to the user-requested secured function. Key exchange mechanisms are well known in the industry, but require complicated processing and signalling which take time and power to complete, both valuable resources for user devices, especially mobile devices which are generally battery-powered.
Secondly, application 142 or 152 providing access to the secured function might not have such a key exchange mechanism pre-programmed so a modification to the application could be required.
Thirdly, in order to facilitate key exchange, significant collaboration (for example standardisation of the key exchange mechanism, key distribution etc.) is required between the entities providing the TEE and the application 142 or 152 providing access to the user-requested secured function. Such collaboration is not always easy or desirable.
What is needed is a method of biometrically authenticating a user for use of a secured function which does not require modification to an application providing access to that secured function and which does not require cryptographic key exchange between a TEE and that application.