Why not all biometric authentication are created equal: Local On-device Auth Vs. FIDO (passkeys)?

Justpass
5 min readJul 15, 2023

Biometric authentication has become a mainstream feature in most of our devices. From banking to e-commerce apps, biometric auth is being used to verify user identities more securely and conveniently.

86percent of mobile devices in circulation support some form of device unlock (biometrics or PIN), and we have become accustomed to the convenience of providing our FaceID or fingerprint to log in to our banking, financial services and many other apps.

With the introduction of passkeys, FIDO login credentials, many are wondering what does FIDO authentication bring to the user journey and to the overall security of the mobile authentication journeys.

I. Local Authentication

When you use FaceID or fingerprints to access your phone or laptop, the data you provide undergoes verification locally.

This is the reason you must set up these features from scratch whenever you obtain a new device. If your iPhone instructs you to perform an unusual neck movement for FaceID setup, or if your Mac requires repeated touch on the fingerprint sensor for TouchID, it’s collecting what is commonly referred to as a biometric template. This template is stored in the device Secure Enclave (Secure Chip).

IOS local auth flow: credit: Apple developer

This biometric template is a mathematical depiction of certain unique and easily identifiable features of your face or fingerprint. It’s essential to note that you set up these features while the device is unlocked, and once the biometric data is stored on that particular device (and only that device), you can then use your face or fingerprint to demonstrate that you’re the same individual who originally set up the device. The system doesn’t prove your identity in the legal sense — it simply provides a convenient method to access your device without inputting a PIN. If you need evidence of this, try registering one of your partner’s fingers in TouchID, and you’ll see they can unlock the device as effectively as you can.

II. FIDO Biometric Authentication

Fast Identity Online (FIDO) is a set of technology-agnostic security specifications for strong authentication. FIDO is developed by the FIDO Alliance, a consortium that includes leading tech companies like Google, Amazon, and Microsoft.

FIDO biometric authentication, like on-device authentication, uses your biometric data. However, the operation being gated by the biometric prompt is different. FIDO authentication relies on the principle of public key cryptography. When you set up FIDO authentication, your device creates a pair of cryptographic keys — a private key, which is stored on your device, and a public key, which is sent to the server.

Android Passkeys flow

The private key is used to sign a challenge from the server, proving possession of the private key and thus authenticating the user. Importantly, the private key never leaves your device, and the server does not store any biometric data. Instead, the server stores the public key and uses it to verify the signature made by the private key.

FIDO auth Flow

III. Why is FIDO More Secure?

FIDO authentication has several security advantages over on-device biometric authentication.

1.Multi-factor Authentication:* FIDO is by default a multi-factor authentication combining possession factor with inherence factor. This means that the auth flow uses both biometrics (something you are) in combination with a device (something you have (private key)) adding additional layers of security.

2. Phishing resistant: Local authentication is susceptible to Man in the Middle Attacks, MFA phishing fatigue, where the user is tricked into using his/her identity thinking that the authentication request is to the original service. In FIDO, this is impossible since the original domain requesting auth is part of the private key.

3.Secure Device Authentication:** Unlike local device authentication, where the proof that the user used his/her biometrics is hackable, in FIDO there are no shared secrets; that can be compromised, FIDO uses public key cryptography. The private key, which is used to sign challenges, never leaves the user’s device, making it nearly impossible to steal.

4. Shareable FIDO credentials(passkeys) across web and mobile: Passkeys allow the user to use the same FIDO login credentials across devices and platforms. This means that a user who logins on their IOS device, will be able to frictionelssy use the same cryptographic keys to login on their MacBook or IPad.

5. Device binding: Webauthn/FIDO 2 allows you to know which device the user is using to login to your service.

Besides security, two of the most compelling points for transitioning into FIDO is that while the UX remains as frictionless and seamless as possible, the tech allows you to leverage biometric auth across web and Mobile.

In conclusion, while on-device biometric authentication and FIDO biometric authentication may seem similar on the surface, they have fundamental differences in how they handle and transmit authentication flows. These differences have significant implications for your privacy and security, making FIDO biometric authentication the more secure option.

To quickly obtain these benefits without thinking of complex integration or cross-device issues, just make use of JustPass authentication solution that puts passkeys at the heart. Integrate within minutes, AB test it without any risks in parallel to your existing authentication solution and transition your users smartly into the passkey era. Trust me, your users will love it (and your conversion rate will prove it).

Start your passkey journey for free today!

--

--