The world of SaaS is evolving. Biometric Authentication is transforming the user management space by eliminating the dependence on passwords and elevating security levels, while also reducing in-app friction and promoting Product-Led Growth (PLG). Let’s take a closer look about the evolution of this SaaS essential.
The Origins of Biometric Authentication
Contrary to common belief, biometric technology has been in use from the post World War II period. Although the methods were pretty basic, limited, and straightforward, the general concept is not at all new.
Here are some key highlights from the last century.
- Facial recognition methods, semi-automated in nature, were developed in the early 1960s. How did it work? Administrators had to manually analyze facial features in pictures or images to extract usable feature points.
- Law enforcement bodies in the United States started embracing fingerprint and facial recognition in the late 1960s. Massive funding was allocated to the development of automated processes and more complex biometric sensors.
- Speech recognition technology took center stage in the 1980s, with the National Institute of Standards and Technology developing key technologies that are the foundation for today’s voice command and recognition systems.
- The first iris recognition algorithm was patented in 1994. This development was accomplished by discovering the fact that blood vessels patterns in eyes are unique. This made it a foolproof authentication method.
- The floodgates were then open. In the 2000s, with the rise of smartphone usage and the emergence of SaaS, hundreds of biometric authentication recognition algorithms were patented and used just in the USA.
Biometrics were initially implemented by large corporations and government setups that could afford to invest in the required infrastructure and computing capabilities. But the rise of the internet and SaaS industry put the biometric machine into overdrive. Use cases started to multiply and today we are in a place where passwords and usernames are starting to become obsolete.
What is Biometric Authentication?
In a nutshell, authentication is all about verifying the identity of the end user before providing him access to the application or online service. When it comes to biometric authentication, it’s all about leveraging unique and distinctive biological characteristics like fingerprints, retina scans, and other kinds of physical attributes. Validated user information is stored in the database to make this happen.
This is a massive shift from the traditional password authentication protocols, which created a wide range of issues, both internally and externally. Here are just a few issues that have been repeatedly surfacing due to password usage.
- Password Fatigue – With most people using dozens of applications on a daily basis, they simply opt for the same one for all uses. The selected passwords are also usually easy to guess, making it a huge security liability.
- In-App Friction – SaaS required in-app freedom and less dependence on support, as evident with the shift towards PLG. Unfortunately, passwords are often forgotten and need to be reset, causing a lot of frustration.
- Pressure on Support and IT Teams – Traditional authentication methods put a lot of stress on support and IT teams. Passwords need to be reset, with IT teams often migrating password databases or vendors – all huge roadblocks.
Biometric authentication is eliminating all of the aforementioned risks thanks to its inherited benefits. It’s helping SaaS organizations eliminate a wide range of roadblocks and pain points to achieve added robustness and scalability.
- No Passwords – Hackers have a much harder time infiltrating laptops and smartphones that are protected with biometric authentication. It’s almost impossible to mimic a face or fingerprint from a remote location.
- Multi-factor Authentication (MFA) – SaaS companies can now add another layer of security by combining the power of biometrics with other methods. Read more in our detailed article about this methodology.
- Elevated Customer Satisfaction – Simply put, biometric authentication allows users to sign up and sign in faster. It removes the need to remember passwords and is also very accurate with little need for resets.
There are many types of biometric authentication methods that can be used today:
- Fingerprint Scanners – The fingertips patterns are used for authentication
- Facial Recognition – Based on parameters called “faceprints”
- Voice Recognition – Use of certain vocal characteristics (voice frequencies)
- Eye Scanners – Work with iris and/or retina patterns
WebAuthn: Driving the Biometric Revolution
Now that we have covered the main benefits and characteristics of biometric authentication, it’s time we get familiar with WebAuthn. This is basically a relatively new W3C global stansra for secure web authentication that’s now supported by all leading web browsers and online platforms. WebAuthn is the driving force behind the aforementioned biometric authentication revolution.
So what is WebAuthn all about?
WebAuthn is basically an API, developed with contributions from Microsoft and Google, that makes it easy for web services (relying parties) to integrate strong authentication into applications. This functionality is allowing the integration of strong authentication flows with multiple authenticator options to answer a wide(er) range of use cases. Biometric authentication is one of the options.
You can find many WebAuthn variations today:
When WebAuthn is implemented properly in the ecosystem, the server has to provide data that binds a user to a credential, which is essentially a private-public keypair. What does this data include? First, it has identifiers for the user and the relevant organization, commonly referred to as the “relying party”. The website then uses the Web Authentication API to prompt the user to create a new keypair.
Everything revolves around the publicKeyCredentialCreationOptions object, which contains some mandatory and optional fields that the server uses to create a new user credential. Here is a list of fields that you’ll find more often than not.
- challenge: The challenge is essentially a buffer of cryptographically random bytes generated on the server, and is needed to prevent “replay attacks”.
- rp: This is basically a short form for a relying party, describing the organization responsible for registering and authenticating the user. The id is always a subset of the domain currently being run in the browser.
- user: This is information about the user currently registering. The authenticator uses the id to associate a credential with the user. For security reasons, it’s recommended not to use PII as the id.
- pubKeyCredParams: An object array that defines acceptable public key types. Alg – a number described in the COSE registry. Here, -7 means the server accepts Elliptic Curve public keys with a SHA-256 signature algorithm.
- authenticatorSelection: This is an optional object that helps relying parties make further restrictions on the type of authenticators allowed for registration.
- timeout: The time (defined in milliseconds) that the user has to respond to a prompt for registration. After that time limit, an error is returned.
- attestation: The attestation data that is returned from the authenticator has information that could be used to track users.
As we’ll learn in the next sections, WebAuthn is now built into all leading tech ecosystems. It eliminates the need for passwords by using private-public keypairs (credentials). The private one is stored on the end-user’s device, while the public one is sent to the server along with a random credential ID for storage. The public key is of no use without the corresponding private one, making WebAuthn very secure.
Face ID for Apple Users
As the name suggests, Apple’s Face ID is an advanced face-recognition technology that launched on the iPhone X in 2017, something that replaced its old Touch ID fingerprint scanning system. The hardware powering this technology is the “TrueDepth camera system”, a complex system that has cameras, sensors, and a dot projector. The face is registered as a detailed 3D map that’s used for authentication.
Besides the trivial device unlocking functionality, Face ID is now being used by Apple to log into iOS applications, sign into online services, and protect personal information. It’s also making iPhones and Macbooks into potent B2B end-devices.
App developers can use valuatePolicy(_:, localizedReason:, reply:) to show the Face ID authentication popup on a device that supports Face ID and where the user has configured Face ID. Here’s an example of FaceID implementation with Swift:
The Android OS, powered by Google, is not lagging behind in the biometric front. Its smartphones, tablets, and Chromebooks, regardless of the manufacturing company, are powered today by face recognition and fingerprint scanning capabilities.
Here’s how it works.
First you need to use the AndroidX Biometric Library to determine compatibility:
Then, canAuthenticate() will usually return one of these outcomes:
- BIOMETRIC_SUCCESS: The device is ready to use a biometric prompt, as the hardware is available and the user has also enrolled biometric data
- BIOMETRIC_ERROR_NONE_ENROLLED: The device has biometric capabilities, but the user has yet to enroll their fingerprints or face.
- BIOMETRIC_ERROR_NO_HARDWARE: The device’s hardware does not support biometric authentication.
You can also run another check to ensure enrolled biometric data:
You then follow these steps to complete the biometric implementation:
- Initiate the building of the biometric prompt
- Set PromptInfo to the message and configuration you want
- Use the calling activity and callback handlers to set up the biometric prompt
- Reopen BiometricUtil.kt
- Use the BiometricPrompt.PromptInfo.Builder builder class to generate the dialogue and populate it with the title, subtitle, and description
- Initialize BiometricPrompt with the initBiometricPrompt() function
- To display the biometric prompt properly and bind everything together, add the BiometricUtil.kt function
- Use the below function in your login/sign-in to use Biometric authentication
That’s how it goes on the Android side of things.
Biometric Authentication with Frontegg
Frontegg is a self-served user management platform that helps SaaS developers implement strong authentication flows, along with other PLG-centric capabilities like billing and subscription management, login box implementation, and more. It’s now possible to use a centralized dashboard to manage all roles and permissions, all with just a few clicks. All of the above also applies to biometric authentication.
As your users expect to have the seamless login experience, it’s our responsibility to help and ease their way into the app. We have built this into our platform so you can integrate Biometric authentication quickly and securely. Wanna give it a shot?