Biometric Security: A Deep Dive into Passwordless Authentication and NOAH's Approach

As we plunge deeper into the digital era, secure authentication mechanisms rise to paramount importance. Biometric authentication, which leverages our unique physical or behavioral characteristics for identity verification, is rapidly emerging as an optimal solution. NOAH is leading this transformative shift by introducing biometric authentication across mobile and desktop interfaces, especially our innovative Progressive Web Applications (PWA).

In this overview, we'll delve into passwordless authentication, unpack the power of WebAuthn, explore how NOAH incorporates biometrics in our PWA, and guide you through setting up biometrics on the NOAH app.

WebAuthn, short for Web Authentication, is a widely adopted standard for passwordless authentication. This web-based API enables websites and applications to interact with authenticators, such as biometric sensors, smart cards, and security keys. Compatible with diverse biometric technologies—TouchID, FaceID, Fingerprint, Windows Hello—it enjoys support from all major browsers and platforms.

Let's look at how WebAuthn functions with biometric sensors and how it enhances security and user experience.

WebAuthn and Biometric Sensors: A Symbiotic Relationship

WebAuthn harnesses the power of public key cryptography, which involves a public key, open to anyone, and a private key, kept confidential by the owner. The public key encrypts data or verifies signatures, while the private key decrypts data or signs messages.

Upon registration on a WebAuthn-supporting website or application, users create a credential comprising a public key and an attestation object. The attestation object encapsulates details about the authenticator that generated the credential—type, manufacturer, and security level. This credential, stored in the application's database, links to the user's account.

Consider the registration process like creating a secure locker for your valuable belongings. The locker here is your user account, and the key to the locker is the attestation object and public key pair, your credential. The attestation object works like a unique ID card for the key, detailing specifics about its origin—such as the type of lock it opens (type), who made it (manufacturer), and how secure it is (security level). This key, or credential, is safely stored in the application's database—the locker room. When you want to access your locker (log into your account), you must present your key (use your registered biometric data to unlock your credential) to verify that it's yours. This system ensures that only the locker's rightful owner can access its contents, providing robust account security.

WebAuthn's Impact: Enhanced Security and User Experience

WebAuthn offers significant benefits for users and service providers:

• Elimination of Passwords: By doing away with passwords—which are frequently weak, reused, forgotten, or stolen by hackers—WebAuthn circumvents their inherent vulnerabilities. This includes protection against phishing attacks, where hackers dupe users into entering their credentials on sham websites.
• Leveraging Built-in Biometric Sensors: WebAuthn utilizes biometric sensors already built into many devices like smartphones, laptops, and tablets. These sensors are more convenient and faster than typing passwords or entering codes, offering a higher assurance that the user is who they claim to be.
• Replay Attack Protection: WebAuthn safeguards against replay attacks—where hackers capture and reuse credentials from previous sessions—by using unique challenges for each authentication request, which expire after a short time.
• Support for Multi-factor Authentication: WebAuthn supports various authentication factors—something you have (the device), something you are (the biometric), and something you know (a PIN)—adding an extra security layer if one factor is compromised (not supported with NOAH).
• Cross-platform and Cross-device Authentication: WebAuthn allows users to use any device with an authenticator to log in to any website or application that supports it, reducing friction and enhancing convenience for users who switch between devices or platforms.

NOAH's pioneering implementation of biometrics on our Progressive Web Application (PWA) is an industry game-changer. PWAs offer an app-like experience on a web browser, providing accessibility across devices. By integrating biometrics, we extend the streamlined access and heightened security of biometric authentication to desktop users—an industry-first in digital security.

Similar to other applications, the implementation of biometrics in PWA uses WebAuthn. Users register with their biometric data, then merely respond to a biometric prompt during login. The device generates an assertion, which the server verifies to authenticate the user's identity, providing secure access—a level of convenience and security previously exclusive to native mobile apps.

Let's guide you through setting up biometric authentication on the NOAH app:

1. Launch the NOAH App: First and foremost, start by opening the NOAH application on your iPhone. Look for the NOAH app icon on your home screen or app library and tap it to open.
2. Navigate to Settings: Once the NOAH app is open, you will see an interface with various options. In the upper right corner of the screen, there should be a 'Settings' button or an icon that represents settings (usually a gear icon). Tap on this to proceed to the settings menu.
3. Scroll Down to Security: In the settings menu, you'll see a list of various options. Scroll down until you find the 'Security' section. Tap on it to access the security settings.
4. Enable iCloud Keychain: Here, look for the 'iCloud Keychain' option. This feature, when enabled, syncs your passwords and other secure information across all your Apple devices logged into the same Apple ID. To turn it on, swipe the button next to the 'iCloud Keychain'. It should change color, usually green, indicating that the iCloud Keychain is now active.
5. Follow the On-Screen Prompts: After you've turned on the iCloud Keychain, you will see a series of prompts or instructions provided by the NOAH app. Follow these prompts to set up your passkey for NOAH. This could include entering and confirming your desired passkey. Make sure to remember this passkey as it will be used to access your NOAH account.
6. Activate Biometrics for NOAH: With your passkey set, the next time you open the NOAH app, you will be prompted to sign in with Face ID (or Touch ID on older iPhone models). This is your iPhone's biometric security feature, which uses facial recognition (or your fingerprint) to provide fast, secure access to your apps.
7. Face ID Set Up: If you haven't set up Face ID previously, your iPhone will guide you through the process. It involves several steps of positioning your face in the camera's view and moving your head in specific ways to create a detailed map of your face. If Face ID is already set up, the app should now recognize your face and grant access automatically.

Now, each time you access the NOAH app, it will prompt for Face ID, thus making your login process much quicker and secure. It's worth noting that your Face ID data remains secure within your device and isn't accessible to the NOAH app or any other third-party apps.

For visual instructions, please view the video below.