Category: sezame Technical

A lot of times when the team is out there talking to prospective customers, this is one of the first questions we hear. They see what sezame does and compare it to stuff they already use (and probably like). That’s a good starting point! So let me try to explain why and where things are a little different if you start using sezame.

There are many apps out there in today’s app stores making use of fingerprint and other biometric authentications like face or iris scan: your banking app may be one of them, and cloud storage providers (like Dropbox or OneDrive and many others), email clients or financial transaction apps in general on the other hand (like your credit card company’s app or PayPal).
They all make use of the great opportunity and the high user acceptance already built into mostly all modern smartphones by using your biometric identifiers for safely accessing services they provide. Without the constant hassle of entering PINs or passwords whenever you open them up or want to use them. This works great and is a big step towards a world where we no longer need passwords.

We leverage these sensors as well, but our concept has a different approach. Let me try to explain it with a picture: keys and doors. The apps you are using today allow you to access a service (open a door) in a 1:1 ratio. You want to access your cloud storage: open the app and access it – storage door opens with storage key. Access your bank account: same story, open app, open account. You get the picture. So for every one of the services you want to use, you need the app for that service.

Sezame is designed to work like a master key: with one single key (app) you can access all of your services (doors) – admittedly not today, but more and more doors accepting your master key are added every month.

On top of this, to stay within the picture, with your single purpose keys, you will, like on your existing key ring and all respective doors, have all levels of security. Knob locks and lever handle locks, furniture locks, cylinder locks, deadbolts etc. Why? The way more than 90% (probably more like all of them) of today’s apps use the fingerprint for convenience only – typically the app allows you to set a PIN and then you can enable the biometric sensor (really like a convenience override) so you don’t have to enter the PIN every time you open the app. However, what happens under the surface (the app accessing the online service with the credentials stored in the app) typically is the good old username/password combination sent to the service you are accessing. Remember furniture locks? Some implementations combine this with additional security measures, e.g. a cell phone serial number or a number generated by the app and so combine the device and your credentials. Like a twin lock, highly improved security, unfortunately rarely implemented like this as it requires a lot of service side changes to accept the additional ‘key’. By adding the local fingerprint lock on the phone the user already feels safe anyway, so why go the extra mile …

With sezame, we not only enable services to allow secure access for their users, we also give them the tools to quickly and – depending on IT knowledge level – surprisingly easily implement the solution into their IT infrastructure. Once installed, we always require multi-factor authentication (MFA) on the service side. Going back to our door lock picture, we always make sure you brought all 3 keys required for one door – on every door you want to open with your master key.

Two-factor authentication solutions based on the one-time-password (OTP) concept have been providing strong protection for millions of accounts for almost as long as passwords have been around. This second factor, provided on top of the first one, typically a password, is valid for one authentication and dynamically generated. Over the years, the delivery methods for these second factors have changed in their appearance, from tokens users had to carry with them to software-based tokens and in their latest iteration (with the global advent of mobile phones) to text messages delivered to these devices. Although proven a good solution, there are some limiting inherent factors: manual user interaction (typing in the code), provisioning and setup for users and – being the logical attack location – the secrets needing to be stored centrally on the access servers.

In the last decade, with smartphones entering people’s lives on a global level and being carried around 24/7 in billions of shirt and pants pockets, handbags and – if you are working out or jogging – even strapped to your arms – your most personal device started accompanying you in unprecedented ways.

This widespread availability of newly available technology – which by today in most cases even includes a wide variety of biometric sensors, most commonly for scanning fingerprints, but also faces, the human eyes, voices or heartbeat rates – allows for new approaches without degrading the user experience (like interrupting what you are trying to do, change to another app, memorize the code and switch back to what you want to do, and sometimes even having to do it all over again because you just hit the 30-second limitation and have to redo it). Although solutions using OTP have definitely improved security, user acceptance has been ridiculously low (less than 10 percent according to research) due to the extra burdens created and not accepted by the vast majority of consumers. Another great benefit of most OTP solutions is the out-of-band ability (meaning it works even when you don’t have network coverage), the arrival of fast data networks like LTE, plus the majority of users in the regular consumer market accepting that in rare occasions there is no data connection (like in the elevator or in the basement on level -7). More than 90% of their usage of authentication services actually happens when they are covered. We have often heard phrases like ‘I am fine if it works wherever WhatsApp works’.

All of the above combined facts show that the requirements today for strong authentication solutions that are highly convenient (and ready to blow the legacy of SMS and OTP out of the water) are now widely available. And it is just the right timing as well, with the reports of OTP phishing and SMS interception and abuse steadily rising since 2015 and tech-savvy press articles starting to suggest back then to totally move away from these solutions (e.g. here’s an example on Wired), followed by the National Institute of Standards and Technology (NIST) condemning it and no longer considering it verification.

The main issue why these solutions still are vulnerable to phishing and man-in-the-middle (interception of messages by the bad guys) attacks even for the widely used verification of password resets (see here) is the fact that they still use so called ‘shared secrets’, so symmetric encryption.

Solutions like sezame on the other hand use a newer approach, a so called PKI. Through the usage of asymmetric pairs of cryptographic keys there is no such thing as shared secrets, such as passwords, to be intercepted.

We realize biometrics is a very worrying subject. Your passwords might get stolen, a very inconvenient thing to happen (if you ever had one stolen and then used, you know the feeling), but there is an upside (if you want to look at it from a positive perspective) – you can set a new password on all accounts you used it and you are ‘safe’ again. But with your biometrics, there is no such thing as changing them in case of theft – they will stick, no reset possible.

That’s why here at sezame we opted for the one path where this does not pose a threat – we do not have access to your fingerprints or face scans, we do not store them and we certainly do not send them over the internet – encrypted or not!

We follow the same pattern led by the industry giants implementing biometric sensors – your data stays within your most personal device, your smartphone. It never leaves the phone and (up to today) there is not one documented incident where the bad guys where able to access these biometrics on a phone – they are safely locked away in a so called TPM (trusted platform module) – a cryptoprocessor on the mainboard with isolated communication capabilities towards the main processor or the internet-connected modules. The implementation of these secure co-processors in today’s smartphones makes it literally impossible to access the raw fingerprint data via the operating system or any applications running on the phone (again, as of today, not a single documented incident). If you want to read more about this (in great detail, here’s a link to how Apple implements this in today’s iPhones: iOS_Security_Guide and Touch ID advanced security technology

So under the (pretty safe) assumption that your fingerprints or face scans are secure on your device, we decided to use an approach leveraging these sensors and their built-in security the way they were designed.

What are the advantages of remote authentication compared to the existing Touch ID solutions many apps already use on my iPhone?

There are many apps out there in the app store today that already make use of Touch ID & Face ID (on Apple smartphones) or fingerprint authentication in general (on most Android smartphones): your banking app, cloud storage providers (like Dropbox or OneDrive and many others), email clients or financial transaction apps (like your credit card company’s app or PayPal) and even your Amazon shopping app. They all make use of the great opportunity already built into mostly all modern smartphones of using your biometric identifiers for safely accessing services they provide without the constant hassle of entering PINs or passwords whenever you open them up or want to use them. This works great and is a big step towards a world without passwords.

So what is different if I use sezame?
The main difference is the way sezame makes use of these biometric sensors built into your most personal device. We leverage this secure approach of storing your biometrics (as you surely have heard before, your fingerprint details never leave your phone, they are securely stored in the phone and can not be retrieved by anyone, including us) to enable you to remotely log into your preferred service via your device. With all the aforementioned examples, you are more or less only replacing a locally stored PIN or password for your app with your fingerprint – releasing this stored PIN. sezame on the other hand enables this via its patented process e.g. on remote websites but more generally speaking also allows for unlocking more or less any service on a connected device (that can make use of our unique process via the installed SDK – a little piece of code available on all major platforms like Java).

Once your favorite website, service or device has implemented our solution, all you need to unlock, open or enable it is your fingerprint on your smartphone – secure and simple. So unlike the solutions you already know making use of Touch ID etc. which can only unlock one service/app locally because you stored a PIN for that app first, our solution has the potential to unlock mostly everything (if implemented on a wide enough scale of course) – and this without storing passwords or PINs, not centrally and not locally on your phone. So one app will be able to unlock all the services you use on a daily basis with the same method and the same convenience – again and again and again. Help us spread the word and free the world of the nuisance that passwords and PINs pose to all our lives today!

sezame