National Vision Administrators

Industry: Healthcare
Size: 501-1,000 Employees
Location: Clifton, NJ
 

Since 1979, National Vision Administrators (“NVA”) has been administering innovative and cost-effective vision benefit programs. Providing millions of people throughout the United States with vision care programs and access to our national, diverse provider network of eye care experts, NVA serves employers in both the private and public sectors and union welfare funds as well as MCOs, third party administrators and health care purchasing coalitions.

Business Need

Mobile biometric authentication has become standard in mobile apps that require a secure login. More importantly, users expect that the apps they use will provide a biometric authentication option. The case was no different with the NVA Vision Benefits Member app; according to user feedback, it was the most requested feature.

Seeking to satisfy users and streamline their app’s login process, NVA asked GDC for assistance with integrating mobile biometric authentication into the NVA Vision Benefits Member app. The challenge of doing this was two-fold: the app would need separate solutions for Android and iOS and would also need to utilize their existing login and session API services.

The Solution

For Android, GDC developed a solution that would allow users to take advantage of what is known as Class 3 biometrics. Class 3 includes fingerprint, face, and iris authentication. Hardware manufacturers are free to include any biometric modality that conforms to the Android Open Source Project, therefore a single device may implement one, many, or all of the Class 3 sensors.

For iOS, GDC developed a solution that implements fingerprint authentication through Touch ID and face authentication through Face ID.

To satisfy the constraint of using as much of the existing API structure around the login and session services as possible, a shared approach was taken for Android and iOS. Sensitive session information would be encrypted and placed into secure app storage.

For Android, this meant taking advantage of the KeyStore, a storage facility for cryptographic keys and certificates. Any sensitive session data would be encrypted using keys managed by the KeyStore. For iOS, this meant taking advantage of the Keychain, Apple’s infrastructure for storing passwords, keys, and other sensitive credentials. Any sensitive session data was encrypted and stored.

To this end, GDC developed a workflow that allows users to set up biometric authentication on their devices:

• Check that a user can be authenticated within NVA’s systems.
• Request that the user verify their biometric credentials.
• Encrypt the user’s session data with the caveat that biometric authentication is required to decrypt it.
• Store the encrypted data in secure storage.
• Once set up, the user can then log in via biometrics.
• The app requests the user to verify their biometric credentials
• The results are then used to decrypt their session information for use with the existing API services.

The Results

NVA has now satisfied one of the most requested features of their app, and without having to change their existing API services. Users of the NVA Vision Benefits Member app may now log in using various forms of secure biometric authentication provided by Android and iOS.    

For a company that handles sensitive health-related information for its clients, maintaining a secure application is essential for customer satisfaction. Biometric authentication, a feature that was a luxury in the past, has now become a necessity for businesses across the globe.   

As cybercrime continues to rise at a steady rate, businesses must be vigilant in protecting their information from bad actors. In utilizing MFA for access and storage of sensitive information GDC helped NVA take the important first step to showing customers that they are a trusted resource to fulfill their needs.