Passwordless Solution With Biometric FIDO Security Key

Background

The current authentication solution always comes up with an account with passwords, which has been defined as not secure. The most common attacks are phishing and man-in-the-middle attacks. Hackers can trick users to visit and log in to a fake website, where the user gives away sensitive login data and performs a fraudulent transaction. The so called man-in-the middle, are even more aggressive, the hijack the communication between the user and service, and automatically redirecting the user to the fake website.

Solution

To prevent such attacks, FIDO has formally introduced U2F as a second factor for authentication. Even though, such solution increases inconvenience of users to have one more authentication factor.

Today FEITIAN introduce the first FIDO2 biometric solution to eliminate passwords and strengthen security. To get here, the company has worked tirelessly with the Microsoft and FIDO2 development teams. We see the FIDO2 solutions as having very significant impact on enterprise security and cloud solution functionality. We believe this collaboration will be a significant development in FIDO2 technology. Innovation in the FIDO space is crucial to industry development. FEITIAN is dedicated to improving the FIDO2 security solution so as to secure enterprise as well as increase usability for the individual.

The leap that FIDO has made reduces user’s reliance on passwords, and makes authentication more secure and less cumbersome. Biometric security keys provides a better authentication experience than using a local PIN code, users are able to logon to Azure AD and all Microsoft Services with “touch and go” experience. Biometric verification also prevents sharing of local PIN, extremely simple local PIN problems.

By adding fingerprint technology to our FIDO2 security keys, FEITIAN is presenting a password-less experience with our biometric solution. And FEITIAN is able to offer a convenient and ultimately more secure password-less experience.

System Logon Solution

Background

PKI tokens are already widely used for 2FA in multi-fields, banks, enterprises, government agencies and even end users in their daily lives to protect their online transactions, document signing, online tax and other services. Another important feature is that protect user’s system logon.

Logon to system maybe the most common thing to do every day, users need to input the password every time and also may worry about to lose it or not secure if the password is too simple, so traditional password is low-efficiency and low security level, obviously a more secure and easier method could help users to enhance their work efficiency and security. FEITIAN’s system logon solution bring such method to users.

Solution

FEITIAN, as the world leading identity authentication provider, can solve users concerns by offering system logon solution for PKI products in Windows and Mac OS, the solution will work with 3rd party software together:

Windows system

Work with EIDAuthenticate (from https://www.mysmartlogon.com/), as most logon programs require specific smart card driver, storage facility on the smart card itself or user process authentication, this program is the only one which does the authentication inside of the security kernel of Windows (lsass.exe) : even with signature only card, your data is safe. For example, EIDAuthenticate is the only solution supporting natively the windows “force smart card logon” policy, used to secure the local administrator accounts in datacenters or to comply with HSPD-12.

FEITIAN ePass PKI tokens provide secure medium to store the system logon digital certificate which generated by EIDAuthenticate, and implement Windows system logon with token PIN after finish the configuration of EIDAuthenticate. A smart card account will be shown in the Windows logon interface when restart the system and plug ePass PKI token, just click the account and input the token PIN to logon.

Mac OS with FEITIAN PIV

Mac os already supported PIV natively, just enable the pairing function in system, and plug PIV token/card into system to finish the pairing, after that, just restart or log off the system and then the logon interface will show the logon option with PIN.

Mac OS with FEITIAN GIDS

Work with OpenSCToken (re-build by FEITIAN) to implement Macos smart card logon. OpenSCToken is actually use CryptoTokenKit which is Apple's take on programmatic access to smart cards and other tokens. It provides both low level access to tokens (comparable with PC/SC) and high level access for system wide integration of a token (comparable with Windows Smart Card Minidriver).

FEITIAN GIDS token/card is able to work with OpenSCToken application, just install the OpenSCToken which rebuild by FEITIAN in Mac os, and enable the pairing function in system, and plug GIDS token/card into system to finish the pairing, after that, just restart or log off the system and then the logon interface will show the logon option with PIN.

Online Remote PIN Unlocking Solution

Background

PKI tokens are already widely used for 2FA in multi-fields, banks, enterprises, government agencies and even end users in their daily lives to protect their online transactions, document signing, online tax and other services. PIN is the most basic and commonly used part for PKI token, it is used to protect the access of certificates and key pairs inside the token.

PIN can be set with different complexities according to usage habit of users themselves, like letters, digits and specific symbols, but more complicated PIN will be more difficult to remember, so there are users who forget the PIN and result in the token is locked, traditional way to unlock PIN may request user to bring the token to Administrator or appointed place, it may take long time and inconvenient, so remote unlock PIN solution will solve the problem and provide quick and convenient way to users.

Solution

FEITIAN, as the world leading identity authentication provider, can solve users concerns by offering online remote unlock PIN solution for ePass series products, the solution contains remote unlock client tool and backend server. The unlock process is:

Remote unlock client tool

When the token PIN is locked, user could download the tool and start, the tool will get serial number and certificate file (.cer file) in token and generate session key, then send all these to backend server in cipher text.

*Note: The remote unlock client tool is for Windows system only.

Backend server

Receive the information from client tool and decrypt to get token serial number, certificate file and calculate the SO PIN according to the token serial number. And encrypt the SO PIN with session key. Meanwhile, server will parse the user email address from the certificate file and generate a verify code, send to user email.

*Note: Each token has different SO PIN which calculate based on unique token serial number.

User

Check the email to receive the verify code and input the code into client tool and click unlock button. And the client tool will send the verify code to backend server in cipher text, after verify successfully at server side, server will send encrypted SO PIN to client tool, and reset PIN window will pop up after verify SO PIN, so user can reset PIN and finish the unlock procedure.

*Note: In the whole unlock procedure, the token must keep connecting status and cannot access by other application, otherwise, the unlocking will be failed and need to redo.