Mobile authentication provider Authentify is to provide a way for banks, payments networks and other secure service providers to make use of the fingerprint scanner built into the Samsung Galaxy S5 to add an extra layer of security to mobile transactions.
The fingerprint security option will be included in the next release of Authentify’s xFA service, which already supports voice authentication, due to be made available later this year.
“We are also doing work in the NFC arena and we are looking at ways to put an NFC component in as part of our services,” Authentify’s John Zurawski told NFC World+. “Holding the device in proximity to an NFC reader could potentially be used as yet another authentication factor.”
Zurawski explained: “Our support is via an app that we developed and the app is the front-end for an authentication platform that we host in the cloud. Underneath the app, there are digital certificates.
“Underneath the covers you have a trusted party that issues the certificates. In Authentify’s case, we are self-issuing. When we issue a certificate we actually put an end user through an authentication enrolment process before they get the certificate.
“The certificate is issued and married to a voice biometric and this is where the Samsung begins to come in. An end user can be known by an anonymous handle, like an email address, but we require that person to enrol their voice. The result: a voice biometric is on file and the digital certificate is ‘married’ to that voice biometric.
“With the Samsung fingerprint reader, you now have the ability to layer a second biometric with the first.
“Say I enrol my voice using the xFA platform by downloading the xFA app and creating the voice biometric. I may have to provide my fingerprint simply to log in to the S5 as a user option. Using xFA to log in to a payment site, I will automatically provide my digital certificate associated with that site.
“I speak my voice biometric and the site can require me to touch the fingerprint reader again depending on their policy. The number of hurdles an imposter or cybercriminal must clear to begin to use that particular S5 on a particular site goes way up.”
Zurawski added: “It is entirely possible for xFA to function across multiple bank accounts or multiple banks or multiple online enterprises and actually handle a different digital certificate for each of those places.
“Let’s assume you enrol at some sort of online payment portal. You enrol and you will receive a unique certificate specific to that site. Typically, when a remote user arrives with a digital certificate, the enterprise matches the digital certificate and public key combination. You will be granted access based on the validity of the certificate, but they may require your fingerprint or voice biometric as additional authentication factors.”