Introduction to TruYouID Authenticator:
As secure as FIDO2 and U2F may be, and they are much more secure than their predecessors, there is always room for improvement. TruYouID is one take on improvements that substantially advance the security of FIDO2 and U2F without impacting or otherwise affecting the underlying protocols.
If you read Authenticators and TruYouID, then you may have picked up on a weakness of all authenticators. Simply put, they perform their task on behalf of the person in possession of the device. Thus, every account secured by the loaned, borrowed, lost, or stolen authenticator is at risk. Of course, the FIDO Alliance picked up on this as well and in the FIDO2 specifications they set forth guidelines for Biometric Authenticators. A biometric authenticator adds a biometric test to the gesture affirmation process. For example, in addition to a button press gesture the authenticator may also perform fingerprint comparisons. You can expect to see biometric based authenticators of this nature by the fall of 2020. In that field of biometric authenticators will be TruYouID whose behavioral biometrics I believe are superior to one-time statically stored biometric credentials such as fingerprint or facial scan images.
TrueYouID is the amalgamation of an implementation of my Personal Identifier invention and an authenticator compliant with both FIDO2 and U2F standards. As such, it is the first authenticator to ensure that you and only you can use your TruYouID authenticator. While loss of your Smartphone may be a very concerning and stressful event, not included are concerns about the security to your accounts linked to TruYouID. Employment of personal identifier ensures no one can spoof your credentials.
At present there are three types of mobile authenticators, those based on USB, those based on NFC, and those based on BLE. TruYouID is a Smartphone App of the BLE type meaning it provides authenticator services to an accessing device by use of Bluetooth LE.
In the FIDO2 and U2F stack the parties involved in the authentication process are:
- The “Relying Party” RP providing the secured service or permission to access the secured service. RP is sometimes referred to as the “service provider”.
- The “Client” device or application exists as an intermediary between the RP and the Authenticator. The Client might be and often is a browser. It might also be an ATM like device or perhaps a door access actuator. It could an automobile on board computer or a secure medical device or even an access turnstile at the entrance to secure sterile areas such as those terminals or events. There are virtually no limits as to what can qualify as a Client. Additionally, it’s entirely permissible for the RP and Client to co-reside on the same device. All Clients supporting Bluetooth LE authenticators have one thing in common, a BLE wireless interface that is compatible with TruYouID.
- The “Authenticator” is the device you have on your person and used to establish you are a human, and in the case of TruYouID, to establish you are both a human and that you are you. The authenticator might be a little dongle like device you plug into a USB socket, if available, or hold up to an NFC antenna if available. Or it could be a BLE like device or even an App for use on your Smartphone such as TruYouID.
TruYouID Authenticator UI – App runs in the background on a 24/7/365 basis to ensure it is always aware of possession status; does a human have possession and is that person you the first user? When needed a single tap brings it to the foreground at which point the UI described below is presented.
Depicted here is the “Blocked State” UI. The display is divided into two sections, the 2FA section above “Tap to register” and below it the TruYouID icon used to invoke FIDO2 and U2F functions. The blocked state simply means use of the authenticator is blocked, it cannot be used to affirm identity in FIDO2 or U2F modes or to produce 2FA POTP or HOTP One-Time-Passwords. This locking mechanism prevents malicious use; no one other than the First User, you, can use the authenticator facilities and then only when its recognized the App device is in your actual possession.
The Tap Me UI – appears when you, the first user, are in possession of the device and have brought TruYouID to the foreground. It’s presentation indicates affirmation by TruYouID that a human is in possession of the device and further confirms that person is you.
In the 2FA display section appears a scrolling list of the One-Time-Passwords for all registered 2FA accounts. These will cycle or renew every 30 seconds indicated by the rotating icon to the top right of the display. “Tap to register” is used to register new 2FA accounts. When tapped a QR code scanner appears for scanning a QR code for account and secret key information. Optionally the account and secret key information can be entered manually.
The yellow TruYouID icon is used to access the FIDO2 and U2F facilities of TruYouID. Tapping it initiates either the Registration or Authentication process while Tap and Hold for 3+ seconds initiates the Pairing process. Either results in presentation of the Solicitation UI.
The Paring process is a process by which TruYouID and your Client device(s) establish an awareness of each other; it forms a security bonding between the devices. This process is covered in more detail in [TODO LINK].
Registration is a one-time process performed between TruYouID and the RP service account you wish to access using either FIDO2 or U2F protocols. This security measure assures a specific bonding between your RP service provider and your TrueYouID authenticator. During this process the parties negotiate which protocol to use and which features within those protocols to use. There are only two protocols but many features and options in each. TruYouID supports both FIDO2 and U2F and offers a full suite of options within each that are possible in a Bluetooth environment.
Soliciting UI – is used for both the Tap and the Tap and Hold options of Tap Me UI. When displayed it is confirmation to you that TruYouID is actively advertising its availability for connection.
A word of caution is in order. TruYouID is a wireless Bluetooth device. During the advertising for connection process there is an open window for nefarious persons who would intervene in an attempted takeover the facilities being advertised. The wireless range of Bluetooth LE is approximately 5 meters (15 feet) meaning anyone within that approximate radius of TruYouID is a potential interloper. While TruYouID takes every reasonable precaution to prevent malicious attack from succeeding, the old saying that an ounce of caution is worth a pound of cure applies in this case. This word of caution applies primarily when Tap and Hold for registration is being processed but is good advice in general where Bluetooth LE is concerned.
Soliciting will continue until a remote device initiates a connection, in which case the BLE Active UI appears, or a timeout occurs. In the event of a timeout indicating there is no device desiring to connect with TruYouID, TruYouID returns to either the Blocked or Tap Me UI. Typically, this occurs when Bluetooth is not enabled on the Smartphone or the Client device or both. Other possibilities might be an out of range condition, try again within one meter (3 feet) or less separation between Smartphone and Client device.
BLE Active UI – is displayed when the Bluetooth connection is actively engaged with another device. The subtitle under the UI button indicates the type of session activity as either “Active Pairing”, “Active Registering”, or “Active Affirming.”
The BLE active modes are:
- Active Pairing mode indicates BLE activity related to the pairing with a Client device. When it completes TruYouID returns to the Blocked or Tap Me UI. Refer to [TODO LINK] for more details on pairing.
- Active Registering mode indicates TruYouID is in an attestation conversation with the RP service provider via the paired BLE Client for the purpose of registering TruYouID with the RP service provider. During this process TruYouID and the RP will decide on which protocol to use, FIDO2 or U2F, and the options therein. When it completes TruYouID returns to the Blocked or Tap Me UI.
- Active Affirming mode indicates TruYouID is affirming to RP via Client that (1) TruYouID is a registered authenticator of RP, (2) that TruYouID is in the possession of a human, and (3) that the person in possession is known to be the First User. On the condition each of these affirmations is in compliance with RP requirements, RP grants access to the service. TruYouID control returns to either the Blocked or Tap Me UI.
Essential Secure PIN UI – So, TruYouID claims to use behavioral biometrics and human traits for identification, what gives with this esPIN thing? TruYouID adopts security layering principals. When using an Android or iOS device the outer most layer of security is the login process. The process may be a simple screen swipe or tap pattern, or something a bit more secure, the PIN or Password, and for best security there are biometric options such as fingerprint reader, facial scan and recognition, and others. In truth, each of these static stored credentials and the singular nature of their use can be defeated with the only variable being the time and effort doing so.
To address this potential, TruYouID first enhances the login method with the addition of biometrics. During login it captures the biometrics associated with the process, over time building a knowledge base of the First User login biometrics. Thereafter each time the First User logs in to the device TruYouID in the background captures and validates the biometrics of the process catching the case of login compromise. Of course in fact may be the First User having a bad day. And this is where esPIN comes into play. On detection of login verification error the user is immediately presented with the esPIN challenge as the next inner layer of biometric security. The First User has the opportunity of recovery by simply entering their esPIN code which the bad actor is stoped in their track and blocked from using any of the authenticators.
Unlike normal PIN codes, esPIN adds biometrics to each character of the PIN. Thus, where the typical 4 digit PIN has only 9,999 combinations, the four-character esPIN has over 130 thousand different combinations. One is easy to defeat the other nearly impossible.