At Duo, we’ve made multi-factor authentication (MFA) easy to deploy and use. We were the first to implement push-based MFA, and we’re also proud to say that we were first to support Universal Second Factor (U2F) security keys.
While we firmly believe that U2F is the best and most secure authentication method available for customers, we also know that adoption has been relatively slow. Even among our customer base, U2F is used by a small minority of customers. Internally, we jest that we ourselves are one of the top five users of U2F tokens among our 10,000+customers.
Why is that the case? Well, in reality, it starts with the tokens. Our customers don’t want to manage hardware tokens. It’s the fundamental reason why they chose to go with Duo - because they want to get away from the security team becoming a de facto hardware fulfillment vendor. But we’re extremely bullish about the fundamental security properties of U2F, and we think that the biggest change in strong authentication is soon coming.
Five Years of Biometrics
Think back to five years ago when the iPhone 5S was announced and launched. It’s hard to remember now, but back then, biometrics just did not work. Although fingerprint sensors have been available since the late 90s and are somewhat commonly deployed on enterprise worksystems, users rejected them.
They were riddled with inaccuracy, poor security properties, and, most importantly, unreliability. They just didn’t work. Even on mobile devices, the Motorola Atrix was the first widely-available consumer device with fingerprint sensors, but it was the same slow and unreliable finger-sliding mechanism.
When the iPhone 5S launched, it came with TouchID - a simple fingerprint sensor built into the home button. Within six months, competitors in the Android ecosystem also delivered built-in biometrics, and a year later, Google made a native framework for biometric authentication available in the operating system.
Just five years later, it’s almost impossible to find a consumer smartphone without a built-in, strong and reliable biometric authenticator.
“It Just Works”
So how did Apple make this possible after over a decade of failures from other vendors bringing biometrics to endpoints?
First, there’s the user experience. Apple created a strong authentication experience...that was 10x better. There are apocryphal stories about how even Steve Jobs refused to use a passcode on his iPhone because he hated the UX. In fact, Apple Product Managers have spoken about how, according to their data, a minority of iPhone users chose to use PINs to protect their devices.
Once TouchID became available, Apple proudly touted that 89 percent of users choose to use biometrics on their device, which means better security for everybody. And why wouldn’t they? Users were already tapping the home button to unlock their device; Apple made sure to build their authenticator into the most natural place that a user would place their thumb. On Android, where devices don’t have home buttons, Google and Samsung have settled on the back of the device where the index finger naturally rests as the ideal spot for their sensor.
Second is the technology to securely store keys. For years, fingerprint readers relied upon software and drivers that could be tampered to enforce biometric authentication. You could probably fill an entire day with Black Hat talks about bypassing biometric authenticators via software from the early-2000s.
What was missing was a means to store and secure keys that is tamperproof. And we’ve seen tremendous innovation in this area in the last half decade. Apple has built a Secure Enclave Processor (SEP) into their flagship AX processors that power their iPhones and iPads. Intel, the worldwide leader in processor development, has built Trusted Platform Modules (TPMs) onto their Core iX series chips since 2015. The TPM is, in Intel’s words, a discrete “microcontroller that stores keys, passwords and digital certificates.”
What About Laptops?
Despite all the innovation on the mobile side of things, biometrics on laptops have not taken off as quickly. Windows Hello was launched with Windows 10. Windows Hello is a built-in framework that allows for the delegation of authentication to: biometric authenticators, companion devices, or device PINs. Windows Hello had a rocky launch as laptop manufacturers balked at the cost of adding the expensive infrared (IR) sensors that Microsoft required for Windows Hello, but in the last two years, we’ve seen reliable fingerprint readers similar to those used in mobile devices deployed on enterprise laptops.
In early iterations, there were some gaps in the security properties of the hardware, but ever since 2015, most new laptops ship with processors that contain TPMs for secure secrets storage.
Apple shipped TouchID with their MacBook Pro line starting in 2016. Apple made this possible by shipping a separate security co-processor (effectively the SEP) on the new line of MacBook Pros, and we’ve seen similar investments in the desktop line with the iMac Pro, although there is no built-in biometric authenticator on that device. Industry observers are particularly excited about the application of FaceID, which launched with the iPhone X as a biometric authenticator in future iterations, enabling “contextual computing,” which has only been theorized in science fiction for decades.
While biometrics are slowly becoming widely available on hardware and built into operating systems, adoption by enterprise applications and web services has been relatively slow. While mobile applications broadly support biometrics for authentication, there’s a huge gap with web services. Now, it’s obvious why this hasn’t been an issue on mobile platforms. Native applications have proven to be far better experiences on smaller screens, but on laptops and desktops, web applications reign supreme. In fact, many newer enterprise “native” applications are effectively containerized web applications.
Stay tuned for our next blog post in this series to find out what the next step is for biometric authentication - What is WebAuthn?