This article explores the recently released Samsung fingerprint scanning API also termed as “Pass API” in light of security for mobile wallets. Pass API is released as part of the Samsung Mobile SDK 1.5 beta1 during the launch of Samsung Galaxy S5 mobile phone. One of the key feature of Samsung galaxy S5 is fingerprint reader. The application could use fingerprint reader to scan user fingerprints and verify against the users’ stored fingerprints on the device. This article presents an overview on the PASS API and, then, talks about how it could be used for mobile wallets’ security.
What is Pass API?
As mentioned on Samsung Developers Page for Pass API, Pass API allows the developers to use fingerprint recognition features in your application. The fingerprint recognition feature could be used to provide additional security to the security-critical application such as Mobile Wallets which is supposed to be used (in most cases) by just the owner of the phone. Following is a diagram that represents the fingerprint scanning by the mobile phone:
Following API features could be used by applications to take advantage of fingerprint scanning:
- Enroll/Register: Register fingerprints at the time of enrolling, to be used as part of authentication process
- Login Inputs: Request fingerprint scanning as login inputs before providing access to the application
- Authentication: Verify whether the scanned fingerprint matches with the users’ fingerprint stored on the device
How could (or Would) it act as a booster to Mobile Wallets Security Model?
The fact that Pass APIs could probably be used for wallet security was derived & comprehended from the fact that Samsung and Paypal agreed on a strategic alliance in which Samsung Galaxy S5 users would be able to login and shop at any merchant that accepts PayPal on mobile and in-stores with only their fingerprint. The new secure, biometric feature means Galaxy S5 users will no longer need to remember passwords or login details across millions of PayPal merchants. Do read further at the press release on strategic alliance between Samsung and Paypal.
The above mentions the fact that biometric feature may no longer need users to remember passwords. However, I would rather see integration with Pass API as a sort of 2-factor authentication thereby strengthening the security of security-critical applications such as mobile wallets. Lets briefly take a look at what is called as 2-factor authentication.
What is called as 2-factor authentication?
As defined on wikipedia, two-step verification is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. This is a special case of a multi-factor authentication which might involve only one of the three authentication factors (a knowledge factor, a possession factor, and an inherence factor) for both steps. If each step involves a different authentication factor then the two-step authentication is additionally two-factor authentication. Simply speaking, following could be used to authenticate users:
- Knowledge factor: What they know? This would be their password that they know (or remember)
- Possession factor: What they posses or have? This is the fingerprint which is unique to every user and possessed by them.
Recommended Security Model with Pass API Integration
With above mentioned, fingerprint scanning with Pass API (satisfying possession factor criteria) and a password (satisfying knowledge factor criteria) could be used for two factors authentication as part of new/recommended security model.
Thus, new password would be combination of following:
New password = Fingerprint + User password
As part of security policy, application could enforce users to change their password (knowledge factor) at the regular interval which would lead to change of overall password.
Following is how the security is strengthened with usage of Pass API and Password:
- In case, the mobile phone is lost, no one can access the wallet as it would require one to scan their fingerprint (possession factor). Someone trying to login with their fingerprint would be blocked as the fingerprint is unique to mobile owner.
- In case, the mobile phone is open, someone still can’t access the wallet as it would require them to enter the password which is only known to the mobile owner. This is the 2nd factor.