Snippet: Apple’s TouchID has taken the world by storm and, with official fingerprint biometric support now also coming to Android M, it looks like username and password prompts on mobile applications will soon go the way of the VCR and the gramophone player.

Identity, security, privacy

Apple’s TouchID has taken the world by storm and, with official fingerprint biometric support now also coming to Android M, it looks like username and password prompts on mobile applications will soon go the way of the VCR and the gramophone player.

Still, unlike usernames and passwords, which we can change at will, we only have one set of biometric prints. If our biometrics fall into the hands of hackers, they become useless to us, forever. The consensus amongst industry experts such as the FIDO Alliance and Apple is that we must limit exposure to our private biometric data by not sharing it, keeping it instead locked down on our personal devices. In other words, that record of your fingerprint used to unlock your iPhone should never leave your device. Not even Apple has access to it.

This is great for privacy and for the sustainability of biometric-based security systems, but it presents an enormous challenge for application developers who want to use fingerprints to replace passwords. Many mobile applications that leverage Touch ID are simply informing the remote service that the user’s fingerprint has been successfully matched locally. The hitch is that fraudsters can very easily tell the remote service the same thing – without matching the user’s fingerprint at all.

How do we bridge the gap between fingerprints, a device-bound user identification technology, and the need for authentication to a remote party? How do we do so without revealing our sensitive biometric data?

Bridging the gap

Entersekt’s Transakt has been purposefully designed to act as a bridge between local biometrics matching and remote authentication. The Transakt SDK integrates seamlessly into any mobile application and creates a unique asymmetric key pair the first time your application is started up. The private portion of the key pair is only made accessible once your biometric print has been scanned. The public part of the key pair is sent to the remote service. This asymmetric key pair acts as a proxy for your fingerprint: your actual print is never revealed. Not even your private key is revealed.

On successful local validation of your fingerprint, the operating system (iOS or Android) grants the Transakt SDK access to the private key. A challenge is then created by the remote service and the key on the mobile device is used to create a response that proves ownership of the private key and, by proxy, the user’s biometric prints.

This is the secure way to enable biometrics in your app. By embedding the Transakt SDK into your mobile application, you can be part of the movement toward a password-free digital world too!

Subscribe to our blog.


Christiaan Brand

FORMER CTO

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.