Biometric-Enabled Wallets

We're excited to share a major advancement in the evolution of crypto wallet technology: the introduction of biometric authentication! Going forward, you can now access your wallet using fingerprint or facial recognition, making passwords a thing of the past. Biometric authentication isn't only the safest two-factor authentication (2FA); it's also quick, user-friendly and widely used in internet banking, offering a smooth experience that doesn't compromise on security.

To make this innovation possible, we've adopted the open-source standard protocol, WebAuthn, joining forces with industry leaders like Google, Apple, and Yubico in the Web Authentication working group by W3C. This protocol enables websites to use passkeys for authentication. A passkey is essentially a private key that can be stored in various authenticators like modern computer and phone’s secure enclaves, Yubikeys and other standard U2F hardware. The user can then leverage the biometric sensor (e.g. computer and phone) or PIN code (e.g. Yubikey) of the authenticator to secure the key. While biometrics is our preference, WebAuthn also supports PINs, passwords, Yubikeys, and other standard U2F hardware.

We're aware that there are still some areas for improvement in implementation and developer experience. We see these challenges as opportunities to grow and we're dedicated to improving the developer experience significantly every year. 

‍

The endless pursuit of user-friendly security

15 years ago, early crypto wallets relied on DIY methods like handwritten keys on paper or even memorization, raising major security concerns. As the scene developed, more robust but also more complex solutions emerged, such as hardware security modules (HSMs), multisignatures, and other cumbersome key ceremony frameworks. While these strengthened security, they only worked well for some use cases, mainly wealthy individuals and small businesses. However, they didn't scale well for large organizations and applications aiming to attract millions of users. So, the challenge remained. We needed to create a secure and accessible option for the mass user adoption envisioned and called for by the crypto industry.

Multi-party computation (MPC) came onto the scene later, making it easier for organizations and applications to scale by using off-chain cloud computing without needing constant on-chain signing. However, early MPC solutions often assumed that key shares had to be stored on user devices. This was partly due to a prevailing "self-custodial" ideology before 2020, where developers believed users had to physically hold their keys to truly own their wallets. This limited their thinking for alternative approaches.

In 2019, at Dfns, we challenged the self-sovereign narrative that viewed banks, governments and external parties as the biggest risks for crypto. Instead, we looked at the data and realized the biggest risk often came from users themselves. Losing keys due to mistakes, accidents, bad habits or forgetfulness was and still is the first security issue in crypto. When it happens, owners get locked out of their wallet and lose their funds. Consequently, Dfns’ focus is to protect people from themselves and make it easier and safer to use their wallets by creating safety nets.

The National Institute of Standards and Technology (NIST) puts it best in its Special Publication 800-57 part 1, rev. 5 (section 6.2.2.4) when discussing the association of keys with applications:

“Keying material is used with a given cryptographic mechanism (e.g., to generate a digital signature or establish keys) or with a particular application. Protection shall be provided to ensure that the keying material is not used incorrectly (e.g., not only must the usage or application be associated with the keying material, but the integrity of this association must be maintained). This protection can be provided by separating the keying material from that of other mechanisms or applications or by the use of appropriate metadata associated with the keying material.” 

Keeping keys safe is our top priority; that's why we separate key storage from everyday usage and business operations. Our clients and end-users (organizations, developers, and their users) interact with a secure API to control wallet keys remotely, using their authentication credentials. The private keys themselves are stored and distributed securely, either by us (fully managed), by the client (on-prem), or in a combination (hybrid). This separation ensures that even if our client loses passkeys, the private keys remain safe. Furthermore, it also allows for easy, familiar login options like biometrics while keeping critical keys protected in HSMs or secure enclaves across different locations.

Our dream is to invent a secure wallet that feels like an extension of yourself. This ideal wallet should be both secure and easy to use. Biometric verification, like fingerprint or face scans, gets us closer to this dream today. It's already part of our normal lives – from unlocking phones to bank apps – and it's only getting better day by day. The technology is growing more accurate every year, with studies from NIST showing a jump from 96% to 99.8% accuracy between 2014 and 2018. Biometrics offer a powerful step towards merging our wallets with our identity, making security both seamless and reliable.

"The first place a new user may start their Web3 journey is by opening a wallet, and if the UX feels foreign, cumbersome, or unfamiliar, the likelihood of conversion and retention drops precipitously. The beauty of using biometrics here is that it is extremely efficient in terms of UX”

– Clarisse Hagège, CEO of Dfns

If you doubt biometric authentication is suitable for applications and users, reconsider. The year is 2023 and biometric technology has significantly improved cross-browser compatibility as well as user acceptance, particularly among young people. Approximately 40% of Americans use facial recognition with at least one app on a daily basis. Among 18- to 34-year-olds, the adoption rate is 75%. These statistics are from a recent study by the facial recognition firm CyberLink in collaboration with the research company YouGov.

“There’s this perception that people aren’t ready for facial recognition technology, yet almost all of us are using it every day in one way or another. New use cases for AI-based computer vision and facial recognition are constantly emerging. The explosion of mobile apps, the password nightmare they generated, and the face login solution that followed drove initial adoption in the mass market.”

– Jau Huang, CEO of CyberLink

Integrating biometric authentication into wallets represents a significant advancement for web3, and we have achieved it. Dfns aims to transform crypto by adding biometric authentication into platforms, making it easier for developers to create wallets that are more intuitive for users.

‍

Say hello to WebAuthn

Imagine a world where passwords are relics of the past, replaced by a more secure and convenient way to access digital assets. This dream is becoming reality with WebAuthn.

Web Authentication (aka WebAuthn), formally recommended by the W3C and developed by a dedicated working group under John Fontana and Anthony Nadalin, defines a new way for apps to verify user identities using strong public key cryptography, which eliminates the vulnerabilities of traditional password-based systems. WebAuthn operates alongside other standards, such as Credential Management Level 1 and FIDO 2.0 Client to Authenticator Protocol 2, ensuring comprehensive security and compatibility across platforms and devices. Dfns is the first and only member organization to represent web3 and blockchain at the W3C WebAuthn working group which is made of Google, Apple, Yubico and other reputable security companies.

WebAuthn operates with three primary entities: the authenticator (your device), the client (your web browser), and the relying party (the website). These entities collaborate in two distinct scenarios: registration and authentication. The user agent (e.g., your web browser) manages all communication between these entities, as depicted in the diagram.

‍

Dataflow

1. Registration: Initiate the registration process on a website by choosing your preferred authentication method (for e.g., computer biometric sensor, security key, phone, etc.).
2. Browser Interaction: The browser activates the selected authenticator*, which then requests your confirmation (such as placing your finger on the scanner).
3. Key Generation: The authenticator generates a unique public-private key pair.
4. Public Key Sharing: The browser transmits the public key to the website for secure storage.
5. Authentication: When you attempt to log in subsequently, the website solicits confirmation from your authenticator.
6. Verification: Your authenticator confirms your identity and dispatches a signed message back to the website.
7. Access Granted: After the website verifies the signature with your public key, access is granted.

‍

‍

‍*Two types of authenticators exist: roaming authenticators, which connect via USB, Bluetooth, or NFC, and built-in platform authenticators. Although most modern browsers widely support roaming authenticators, support for platform authenticators is less widespread. Check if your browser supports both types of authenticators.

‍

Benefits

Here are the primary reasons why Dfns chose to adopt WebAuthn:

• Eliminates vulnerabilities to password-based attacks: Renders phishing and credential stuffing attacks ineffective.
• No central repository of sensitive information: Keeps private keys on the user's device, significantly reducing the risk of data breaches.
• Enhanced authentication techniques: Utilizes biometrics and security keys, providing a level of security superior to traditional passwords.
• Privacy-centric approach: Ensures biometric data used for authentication remains on the user's device. Services receive only cryptographic proofs, safeguarding user privacy.
• Effortless sign-in experience: Facilitates password-free login via a simple tap, touch, or glance.
• Compatibility across multiple devices: Allows for straightforward registration and authentication on various devices.
• Cross-platform functionality: Operates seamlessly across all major browsers and operating systems.
• Decreased dependence on external authentication services: Offers users greater control over their privacy and security.
• Streamlines password management: Eliminates the need to remember or reset multiple passwords.
• Paves the way for future technological advances: Lays the groundwork for securely accessing innovative applications and services.

‍

It’s not a one-click integration

While WebAuthn promises robust security and enhanced user experience, integrating it will take your team one week to complete on average.

There are also other aspects to consider prior to making a final decision: 

1. Not all use cases and users embrace WebAuthn with open arms. Some may prefer the familiarity of SMS or email OTPs, or the convenience of social logins though less secure.
2. Compared to plug-and-play social login SDKs, WebAuthn demands more integration time. Its robust security through stringent checks and verifications requires additional development (think 1 week vs. 1 day).
3. Unfortunately, Linux compatibility for WebAuthn can be a point of friction. Developers targeting a Linux audience might face challenges that need thoughtful workarounds.

But here's the silver lining: The security and user privacy benefits of WebAuthn outweigh the initial integration challenges. Phishing-resistant and passwordless authentication is a future worth investing in, and the developer experience is constantly improving:

• SDKs and CLIs: Streamlined WebAuthn integration is becoming easier with pre-built kits and command-line interfaces, reducing development time and complexity. Dfns currently offers Typescript, React Native and Go SDKs. 
• Endpoint unification: Dfns is working towards unifying authentication endpoints, simplifying API interactions and making implementation more consistent across browsers and devices.
• Relaxing assumptions: Recognizing the varied development contexts, some aspects of WebAuthn might evolve to offer configurable checks and relax assumptions, catering to wider use cases.

‍

References

• Dfns Adds Biometric Support to Wallet Development Toolkit
• Gen Z and millennials adoption of face biometrics reaches 75 percent
• Over half of consumers use biometrics to secure mobile devices
• Biometric Authentication And IDs: Why Faces Are Becoming Essential For The Security Of Data
• WebAuthn Github repository by W3C

‍

About Dfns

Dfns is the leading wallet-as-a-service platform in web3. Startups, enterprises and financial institutions use Dfns to create, embed and manage programmable wallets at scale powered by the fastest, most advanced MPC technology in the world. Built by PhDs and experts in security and cryptography, Dfns is leading research in threshold signatures applied to keys. Since 2020, Dfns helped ABN AMRO, Fidelity, Zodia and many others to create over a million wallets. We’ve raised over $25M with White Star Capital, Motive, ABN AMRO, Bpifrance, Coinbase, Semantic, Wintermute, Figment, Motier Ventures, Hashed, 6MV, Susquehanna and others.