Technical Standard Overview

Internet Finance Authentication alliance IFAAaims to achieve a more simple, more accurate way to verify the identity of human. The standard includes fingerprint, face, iris and other authentication methods. And the standard includes passwordless payment, QR code payment and other business innovation.

IFAA is working to achieve an innovative, open, convenient and secure identity ecosystem.

User Experience

IFAA currently offers three different ways to verify the user's identity for different scenarios. The identity verification technology based on PKI architecture can be a strong prevention against malicious attacks.

Currently, the authentication method includes local passwordless authentication, remote identification, and offline scenarios.

Local Passwordless Verification

Local passwordless verification can be applied to rich application scenarios, which is used to replace the traditional password login, password payment and other business scenarios to improve the user experience and enhance the security of the verification.

  • The user initiates authentication using the authenticated device;
  • Users use fingerprints, voiceprints, eye lines, iris and other biological methods to perform local verification on the device side;
  • The verification results will be transmitted to the server safely.

Verification procedure running in TEE greatly enhances the security of the overall architecture:

  • Computing Security: the core computing of the device is done in TEE to ensure that there is no injection risk during runtime.
  • No privacy risk: the whole process (local fingerprint comparison, fingerprint input, template storage, fingerprint verification) is done in TEE, sensitive data will not appear in Rich OS.
  • Encrypted storage: fingerprint templates, business-critical data are encrypted and stored in TEE, and the encryption keys for different machines are different.
  • Interactive security: the device communicates with the server through the encrypted channel, the interactive message is signed using a high-intensity asymmetric algorithm (2048 bits), and the replay attack is prevented by a strong random number.

Remote Identification

  • The user initiates identification using the authenticated device.
  • User uses his/her face to start the authentication, then the device gets the picture and extracts the biological characteristic of the picture, finally submits the data to the server after desensitization;
  • Server compares the device upload data with the server data to determine the user identity.

Wearable and IoT

  • User initiates authentication using the authenticated device;
  • The device reads the certificate data and combines other information (such as time, device information) to generate the transaction certificate, and then send the transaction certificate to the merchant through the QR code, sound waves, Bluetooth, etc. Finally sent certificate to server.
  • Server verifies the transaction certificate.

Implementation

Local Passwordless Verification

Registration

  • User choose a biometric method (e.g. fingerprint);
  • After the client fingerprint verification is successful, the client generates a pair of keys, which are bound to the user information, device and verification service.
  • The public key is sent to the server, the private key is stored in the local device, the private key is protected by the biometric verification.
  • The biometric comparison process is done at the client, and all biometric information does not leave the device;

Verification

  • User choose a biometric method (e.g. fingerprint);
  • After the client fingerprint verification is successful, unlock the private key to sign the verification result with this private key.
  • Send signature verification results to server, server verify the signature.

Remote Identification

  • User choose a biometric method (e.g. face);
  • The client extracts the biological characteristics features of the face and then desensitizes the data;
  • Finally sends the desensitized characteristic data to server, and compares the client data with the server data to get the result.

Wearable and IoT

Certificate delivery

  • Device (such as a watch) uses a key to interact with a verification server to establish a secure channel;
  • Verification server generates a certificate, sends it to device through the secure channel, and then store it after encryption.

Verification

  • Device reads the certificate information, combines the certificate and other information (such as time, equipment information) to generate the transaction certificate;
  • Device send the certificate to the merchant's device through sound waves, Bluetooth, etc. Finally the certificate will be sent to the server;
  • Verification server verify the client certificate.