The fundamental differences between BOPS and FIDO biometrics
Hector Hoyos is the founder and CEO at Hoyos Labs.
There is no question that PIN- and password-based identity authentication solutions have become obsolete. The explosion of websites and devices in recent years means that consumers must now manage numerous accounts, often leading people to reuse the same passwords across different sites. This, in turn, increases the risk of a breach for enterprises that are charged with securing account credentials, as hackers continually find ways to infiltrate networks.
With cyber-espionage attacks expected to increase in frequency as long-term players become stealthier, and as information gatherers and newcomers look for ways to steal money and disrupt adversaries1, the need for robust, highly secure identity authentication has never been greater.
Two solutions that have gained traction recently – the Fast IDentity Online (FIDO) Alliance and Biometric Open Protocol Standard (BOPS) – use biometrics to perform identity authentication.
Both FIDO and BOPS address the need for an easier way to not only help consumers to manage multiple accounts and passwords but also to allow enterprises to protect against hacks and data breaches while ensuring great user experiences for customers. Both utilise biometrics to reduce dependence on PINs and passwords. Both also seek to solve interoperability issues between existing authentication solutions, which have long been regarded as an industry-wide problem that directly relates to the increase in fraud across many sectors.
However, there are key differences between FIDO and BOPS that bear examining, including a critical distinction regarding the handling of the security certificate.
What are FIDO and BOPS?
FIDO is an alliance of member vendors that was formed to address the lack of interoperability among strong authentication devices. The Alliance has developed two sets of technical specifications for dealing with Internet services: one defines a common client interface using FIDO-specific authenticators such as a PIN, password or fingerprint, and the other allows online services to augment the security of their existing password infrastructure by adding a second factor – a FIDO-supported physical key, such as a USB or NFC-enabled device – to the user log-in process.
BOPS is a biometric-neutral protocol that features pluggable and interchangeable modules that provide identification, access control, authentication, role gathering and auditing. It defines an end-to-end identity authentication platform, integrating front- and back-end systems and including rules that govern secure communications within those environments, as well as the protection of digital assets and identities. It was also fundamentally based on biometrics at the outset, unlike any other identity framework or protocol in existence today.
The most critical difference between FIDO and BOPS is the way that security is handled. The FIDO specification uses a common certificate authority across all FIDO devices of the same manufacturer, which means that the same certificate and private key are utilised globally across all organisations that use the FIDO specifications in the same device of a common manufacturer. The danger is that those organisations are relinquishing control of who accesses their networks to the authority that is administering the common certificate, which leaves the entire ecosystem exposed to hackers.
Additionally, FIDO essentially “glues” the vendor frameworks together via multiple API layers to handle both biometric and non-biometric technologies. Since the API layers are controlled by multiple vendors, the solution is only as good as the weakest link, because each company that’s using the framework is dependent on the APIs, communications and security measures – good or bad – of the other member vendors.
Multiple API layers also means that the architecture needs separate transaction layers to identify a person, process the non-biometric authentication method, create the biometric identity and link the biometric identity to the authorisation scheme. The fault of this design is that the multiple layers introduce multiple fault points throughout the process, which increases the security attack surface.
In contrast, BOPS integrates its security protocol into a single layer in which certificates are automatically managed. This design reduces the number of fail points and mitigates risk of security poisoning by removing multiple vendors and reducing the attack surface. BOPS instruments the binding of the person to the role, location and resources that the person is given access to and the device(s) that he or she is authorised to use – all within the single layer. A true biometrics identity authentication solution MUST allow for a person to be both authenticated (identity validated with a high degree of confidence) and authorised (following rules that determine who is allowed to perform an operation, at what location and with what resources) within a single transaction layer to ensure the highest degree of security and privacy.
Lastly, BOPS uses a highly secure technique called visual cryptography to encrypt channel transmissions and certificate bindings. The biometrics vector is split into two “halves,” and each half is encrypted in such a way that no useful information can be extracted should either portion be compromised. This design allows an individual to link multiple devices to his or her identity without creating duplicate identities on the server, which has the added benefit of guaranteeing the security of the biometric vector itself.
FIDO depends on its member base to adhere to guidelines that advance the common goals and interests of the alliance as a way of “standardising” its specifications and methods. The fundamental flaw in this design is that it depends on the continued willingness of member vendors to work together to further the common specifications despite often-competing business interests and dependencies that will shift over time as the market changes. Given that the global biometrics market is expected to generate more than $30 billion in annual revenue by 20202, that’s a pretty big bet.
BOPS, on the other hand, is certified and centrally managed by the Institute of Electrical and Electronics Engineers (IEEE), a globally recognised standards organisation. Opening up the BOPS biometric algorithms to the entire IEEE technical community ensures vendor neutrality, allowing anyone to use and improve upon the algorithms. This is a huge advantage for BOPS customers in that it creates transparency and central management and eliminates dependence on multiple vendors.
The FIDO specifications are intended to “fill in the gaps” across member vendors’ architectures using a common set of protocols and APIs. While these vendor APIs interoperate to provide an end-to-end solution, it is one that requires a high level of vendor orchestration for changes, which increases implementation and maintenance costs.
In contrast, BOPS is vendor- and biometric-neutral, and its certificates are automatically managed by the solution. The unified security framework leverages an open protocol standard covering a full end-to-end infrastructure – from biometric identity on the client device to server to intrusion detection and all of the peripheral connectivity to the existing enterprise security architecture. Two major advantages of BOPS is that it will work with any biometrics or third-party biometrics solution, and it can be used to strengthen the security of FIDO environments. For the latter, FIDO authenticators can be integrated into a BOPS server, which allows BOPS to manage all certificates and cross-platform security transactions under a single central platform.
While FIDO and BOPS both utilise biometrics to protect and authenticate identities, BOPS is clearly the more comprehensive and secure solution given its single-layer architecture, automated private certificate management and IEEE certification and governance.
- McAfee Labs. 2015 Threat Predictions. Dec 2014
- Goode Intelligence. Biometrics for Banking: Market and Technology Analysis, Adoption Strategies and Forecasts 2015-2020. June 2015
Hector Hoyos is the founder and CEO at Hoyos Labs. He has been in the biometrics and IT fields since the mid-1980s as the founder and president of various cutting-edge companies. He co-founded and presided over Biometrics Imagineering Inc., creating state-of-the-art technologies, such as fingerprint, face and iris identification systems, and interactive financial transaction systems. Hoyos holds 59+ patents, issued and pending, and has developed proprietary technologies and solutions currently in use by millions of people across the world.
He was instrumental in starting the Praetorian technology, a real-time video surveillance technology, which in February 2008 was awarded a training/video surveillance contract by the U.S. Marine Corps. Additionally, Hoyos served as founder and CEO of EyeLock Inc. (formerly Global Rainmakers), an iris-based identity authentication company, inventing the highly acclaimed HBOX, EyeSwipe and EyeLock products.
Early in his career, Hoyos digitised the document flow for San Juan, Puerto Rico’s federally funded housing program and later launched Hoyos International, which wrote software for oil explorers tracking seismic activity.