What is Biometric Authentication and Why It Matters To Your Business?

The Apple vs. Android Mobile App Approach 

The core of biometric authentication starts with dedicated hardware within the phone that stores all user biometric information. For Apple, this piece of hardware is known as the “Secure Enclave” and resides within the System on Chip (SoC), an integrated circuit (IC) that incorporates multiple components into a single chip. The Secure Enclave is isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised. 

Android devices follow a similar pattern. However, they do not have one strict hardware requirement currently due to the vast number of supported devices under the Android OS. Instead, Android devices have either a Secure Element (SE) or a Trusted Execution Environment (TEE).  

The SE is a microprocessor chip which can store sensitive data and run secure apps. It acts as a vault, protecting what is inside from malware attacks that are typical in the device operating system. It is the most recommended architecture for Biometric Authentication and is equipped in newer devices. It acts identically to Apple’s Secure Enclave and utilizes a separate microchip dedicated to security processes.  

The TEE is slightly different, as it is a secure area of the main processor which runs its own operating system that communicates with the main operating system through a “restricted” interface. It runs parallel to the operating system in an isolated environment. It guarantees that the code and data loaded in the TEE are protected with respect to confidentiality and integrity. 

From there, Apple and Android devices handle Biometric Authentication similarly where the operating system’s local authentication is responsible for direct communication through a secure tunnel between the application and where the biometric data is stored.  

Figure 1: Biometric Authentication Overview

Application Interaction with Stored Biometric Data

Applications cannot access the Secure Layer directly for biometric data on either Apple or Android devices. Instead, applications must communicate with the Secure Layer indirectly by utilizing the Security Framework, which protects information, establishes trust, and controls access to software. It can be utilized to establish a user’s identity (authentication) and selectively grant access to resources (authorization). The Security Framework calls upon the Local Authentication Framework from the phone’s operating system that authenticates users biometrically or with a familiar passphrase. 

From there, the Local Authentication Framework will send the necessary authentication credentials (finger or face) to the Secure Layer (Apple Secure Enclave or Android Secure Element) through its Credential Management. This framework oversees securely establishing connections between endpoints. In the case of biometry, it establishes the middle layer between the Local Authentication Framework and biometric storage or “Secure Nonvolatile Storage,” the storage location for all user data encryption keys, including biometric data. 

The Secure Layer then processes the authentication submitted and checks it against the already stored Biometric Data and returns ONLY a true or false value back to the application. This ensures that none of the user’s Biometric Data is accessible and prevents security exploitation.  

By embracing security tools such as Biometric Authentication, you are investing in a more secure future for your employees and clients. While the technology may be intimidating, GDC has experts available to help decide which option is best for your business. Don’t wait until a security breach happens. The technology to help your business thrive is right at your fingertips – literally. 

Figure 2: Application Authentication Workflow

Glossary

• Secure Enclave – A dedicated secure subsystem integrated into Apple systems on chip (SoCs). The Secure Enclave is isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised.
• System on Chip (SoC) – An integrated circuit (IC) that incorporates multiple components into a single chip.
• Trusted Execution Environment (TEE) – A secure area inside a main processor. It runs in parallel of the operating system in an isolated environment. It guarantees that the code and data loaded in the TEE are protected with respect to confidentiality and integrity.
• Secure Element (SE) – is a microprocessor chip which can store sensitive data and run secure apps. It acts as a vault, protecting what is inside from malware attacks that are typical in the device operating system.
• Biometric Authentication – security processes that verify a user’s identity through unique biological traits such as retinas, irises, voices, facial characteristics, and fingerprints.
• Security Framework – A framework in charge of protecting information, establishing trust, and controls access to software. It can be utilized to establish a user’s identity (authentication) and selectively grant access to resources (authorization).
• Local Authentication Framework – A framework in charge of authenticating users biometrically or with a passphrase they already know.
• Credential Management – a framework in charge of securely establishing connections between endpoints. In the case of biometry, the middle layer between the Local Authentication Framework and biometric storage (Secure Nonvolatile Storage).
• Secure Nonvolatile Storage – the storage location for all user data encryption keys including biometric data.