Website access via Touch ID or Face ID
User authentication without passwords hassles
Today’s leading online services pride themselves on advanced access systems. Users can swiftly and conveniently sign into their personal accounts with the assurance that their data is shielded from potential malicious threats.
In the mobile-centric age, users show a clear preference for mobile apps over traditional websites. One of the driving factors behind this is the effortless, secure, and user-friendly method of logging into an app account. Users are now accustomed to the fact that after an initial login with a username and password or an SMS code, they can set a PIN, enable fingerprint recognition (Touch ID), or face recognition (Face ID). This allows for almost instantaneous access with just a one click.
The integrity of such a login mechanism remains strong. It essentially leverages two-factor authentication: verifying possession of the device (a mobile phone with the installed app linked to the user’s account) and either knowledge (in the case of a PIN) or biometric verification (in the cases of Touch ID and Face ID). Over recent years, users have become familiar with and widely adopted this login method for accessing online banking, brokerage apps, public services, and various other applications.
However, every time users wish to access their personal accounts from a mobile web browser, without installing a dedicated app, they’re tasked with the tedious process of re-entering usernames and passwords and waiting for, then inputting, verification SMS codes.
Which leads to:
- Reduced user engagement. The more tiresome the login process becomes for an online service, the less likely users are to frequently utilize it. Currently, the need to recall or search for written passwords, coupled with potential delays when awaiting SMS codes during poor connectivity, diminishes the time a user spends within the service.
- Decreased user loyalty. Users accustomed to the streamlined experience of mobile apps are now inclined to switch to alternative banks or brokers whose mobile applications remain readily available in app stores.
- Escalated SMS costs. Previously, SMS costs were primarily incurred during the initial setup of mobile apps. However, now they’re expended at every login attempt. Users might access online banking or their broker’s personal dashboard several times daily, even for trivial tasks such as checking account balances or observing fluctuations in their asset portfolio. Each of these logins necessitates an SMS. Yet, in return, the user might not execute any revenue-generating transactions for the service provider. It’s also not feasible to simply deactivate the SMS verification and rely solely on usernames and passwords since this would critically compromise the security of the user’s account.
What’s the solution?
One of the most reliable solutions is to enhance the login system of mobile-optimized online services, allowing users to employ their familiar Touch ID and Face ID. The FIDO2/WebAuthn technology can be a game-changer here.
This technology enables online services to leverage the Trusted Platform Module (TPM) built into contemporary smartphones and computers. These are specialized cryptographic processors designed for the secure storage of security keys on devices. Mobile browsers like Chrome and Safari, starting with Android 7 and iOS 14.5, support the WebAuthn standard, facilitating the use of TPMs for authentication on smartphones and tablets. With the upcoming iOS 15 and macOS Ventura updates, Apple has further integrated with FIDO2 and introduced authentication using Passkeys.
Integrating FIDO2-based login presents several advantages:
- User-friendly authentication. Users experience a seamless and familiar login process with Touch ID and Face ID, mirroring the ease of mobile app usage.
- Enhanced security. Contrary to the traditional username/password and SMS verification code methods, FIDO2 authentication provides anti-phishing measures. Once the initial security key registration is securely conducted, subsequent authentications can only be carried out on the official online service website. Any phishing sites won’t be able to request security key authentication designated for the official online service since the browser will identify a domain mismatch.
- Maintained two-factor authentication benefits. Password verification is replaced with biometric authentication (Touch ID or Face ID), and SMS verification code validation is supplanted by device possession checks with TPM, housing cryptographic security keys assigned to the user’s specific account and the official online service.
- Reduced SMS expenditure. The amount of SMS messages required for the login process drastically diminishes, leading to significant resource savings and cost reductions.
How to implement FIDO2/WebAuthn support?
Adding support for login via Touch ID or Face ID to corporate and client websites, and preparing for future integration of Passkeys is a straightforward process. This capability is offered by the Blitz Identity Provider authentication server.
Utilizing the Blitz Identity Provider can either completely replace your existing user authentication system or serve as an additional alternative within the current setup. To integrate with corporate and client websites or your existing authentication system, there’s no need to develop a convoluted registration process and link to user security keys. Integration with Blitz Identity Provider is seamlessly accomplished using OpenID Connect or SAML protocols.
The Blitz Identity Provider server enables users to set up security key linkage upon login and use it for subsequent authentications. For an in-depth exploration of smartphone login scenarios to online banking or brokerage applications via mobile browsers using Touch ID or Face ID, request a demonstration of our product’s capabilities. Consider initiating a pilot implementation for your organization.