Nymi & PingID: Exploring a Confluence of Authentication Trends
Authentication technologies and models are not standing still. Several exciting trends in the space are promising to completely revolutionize how enterprise employees, customers and consumers are authenticated.
Let's take a look at some of these trends:
These trends all either complement or enable each other in some way. Here's what we mean:
Ping recently worked with Canadian company Nymi™ to demonstrate an integration that ties together all of the above authentication trends. The Nymi Band™ measures the ECG from its user's wrist, and with the help of a companion app on a nearby phone, compares the measurement to a previously established template for that user's ECG.
Biometrics? Check. Local? Check.
Now, the dual challenge of local authentication, whether biometric or otherwise, is a) how the server prompts or challenges the client to perform a local authentication, and b) how to communicate the fact of that authentication back up to the server. Why? Because the associated identity attributes and policies sit at the server.
The FIDO Alliance--of which Nymi and Ping are sponsor members--offers UAF and U2F protocols that feature one model for addressing this challenge. If the local authentication (possibly biometric) is successful, then a private key is made available to sign a challenge issued by the authentication server.
The default FIDO model presumes that the authentication challenge issued by the server is delivered to the client via the application channel, by which the user interacts with the application on the server. But many authentication schemes rely on a separate mobile authentication channel distinct from the application channel as a means of interacting with users and their devices. These authentication schemes provide a mechanism that's different from default FIDO model, by which the server can both initiate a local authentication on a client and be subsequently informed of the user's successful local authentication.
In the Ping/Nymi Band PoC, this mobile authentication channel is enabled by PingID. When the authentication server decides to have the user authenticate via that separate mobile channel, a notification is sent through a push service to launch the PingID app on the device.
The last item on the checklist is continuous authentication, which is provided by the Nymi Band. Once the user authenticates to the band via their ECG, a secure session is established with the Nymi companion app. Until that session expires, or the user removes the band and interrupts its continuity circuit, the user doesn't need to explicitly authenticate again.
So let's see how everything fits together. Here's a visual of the authentication flow with some details on the steps of what's happening, based on a typical day at the office:
Ping's future vision for adaptive authentication is one where usability doesn't need to be sacrificed for security. Explicit user sign-ons will become the exception rather than the norm where, for instance, a password becomes a step-up authentication and not the default. Leveraging the capabilities of devices for privacy-respecting biometric authentication, as standardized by FIDO and implemented through the Nymi Band, will certainly help make that future a reality.