Why SMS Verification is No Longer Enough
We wrote last month about how one-click KYC can only start with a very accurate first verification. However, the second verification only then works if you are very sure it is the same person. The same goes for even letting someone back into your app. For far too long, our best method for verifying users has been to send an SMS one-time passcodes (2FA). As it often goes in security — attackers caught up to us with rampant SIM swapping and phishing attacks — SMS OTPs are simply not enough anymore.
To perform a SIM swap, a bad actor gathers basic information about an individual, such as their full name, date of birth, address, and other identifying details. This information can be obtained through various means, including social engineering, data breaches, or phishing attacks. The attacker contacts the victim's mobile service provider and impersonates the victim to a customer support agent. They may claim to have lost their phone or SIM card and request a new SIM card or a SIM card replacement. Once the attacker successfully convinces the service provider, a new SIM card is activated and associated with the victim's mobile phone number. This effectively transfers control of the phone number (and 2FA codes) to the attacker.
Phishing 2FA codes is just as simple as phishing a password — an attacker can deploy a fake website, like go0gle(.)com, and send you a link via email (perhaps even by spoofing someone from your contact list). Once you get to this fake website, you’ll be prompted to login and reveal not only a username and password but also our 2FA code. The attacker can use this to breach your account just as easily.
In a world where your identity is portable, this means bad actors could exploit these vulnerabilities to access someone’s PII and gain the ability to create unlimited accounts under their name.
Passkeys Create Closed-Loop Ecosystems
Passkeys are based on new technology standards (WebAuthn/FIDO2) to use strong public-key cryptography to authenticate people on the internet. Eventually, they’ll replace passwords and SMS 2FA everywhere, but for now, they serve as an important tool for us to securely portablize identity. When the Footprint network verifies an identity through traditional KYC and IDV means (integrations with bureaus and data vendors like LexisNexis, Experian, IDology, etc) we do something special — we bind that identity to a cryptographic public key known as a Passkey. The crucial bit is that because Apple, Google, and Microsoft unified on this cryptographic standard, we can now use our favorite native mobile and desktop operating systems and browsers to securely manage these credentials and extend a beautiful user experience to access and use these keys. Because these keys are secured by the OS, protected by device-based enclaves and biometrics, and accessible only in secure contexts where keys are bound to domains to prevent phishing — we can massively reduce the friction and errors by skipping the arduous process of entering PII. Passkey authentication modernizes digital identity verification by improving authentication.
Underlying passkeys are public-private key pairs. Each public-key is uniquely bound to a specific “Relying Party” — or in simple terms a website like chase.com. This is great for both people and businesses. If you have a Chase account, and then someone tries to phish your Chase account, your keys for Chase won’t surface on the fake Chase.
How Passkeys Recognize You
Passkeys leverage multiple technologies to ensure fidelity in the verification. The first is specialized hardware components called Secure Enclaves on Apple devices. Each has a separate processor with its own secure storage that handles cryptographic operations related to security functions like passkeys.
Passkeys have two “ceremonies”: registration and authentication. The registration ceremony is enrollment whereby your device randomly generates a new public-private key pair — ideally when you first sign up for a new service. The generated public-key is stored alongside the “Relying Party ID” — often just the fully-qualified domain name of the website where you create your account, like “chase.com”. The private-key is stored in the Secure Enclave.
During the authentication ceremony, the client — often your web browser like Chrome or operating system like iOS, securely passes the context of the site you are authenticating to — the “Relying Party ID” — to the Passkey manager on the device, which then looks up one or more public-key credentials enrolled on that site. Upon your approval, typically using biometrics like FaceID, you unlock the corresponding private-key and perform a secure authentication using a cryptographic signature that can be verified by the site’s server using your previously registered public-key.
Phishing is not possible because your device simple won’t return any credentials for a fake website like go0gle.com and because it’s a distributed system where you are in possession of your own cryptographic private-key (and no one else) there’s no third-party man-in-the-middle to corrupt like a telco.
Why Passkeys are Crucial to Strong Identity
Many of the ideas behind Footprint are not new — but there are certain technologies like Passkeys which only recently took flight — that are crucial to making Footprint improve the status quo and not hurt it. As we've seen, other attempts to lower friction like pre-fill can actually hurt real people and contribute more to the fraud problem because it lowers the data barrier a fraudster needs to cross in order to steal an identity inside of a financial product. Similarly, there have been recent attempts to lower friction by lowering the fraud barrier as far as phishing a single multi-factor code in order to get a dump of a target's entire identity profile. Passkeys not only leverage strong cryptography, but do so in such a way that is virtually unphishable and uncrackable by most adversaries. Don't take our word for it — Webauthn (the protocol behind Passkeys) virtually stopped all phishing attacks at Google. We're excited to bring them to more companies and people.
Leveraging Passkeys for Re-Auth
We’re not stopping here though — our goal is to leverage these new security and usability advancements to continuously secure identity on the web. Once a passkey is associated with your identity we can use it as a secure, private way to confirm it’s really you not only during onboarding but when you’re updating private information or performing sensitive actions like a big transaction or accessing a financial document. This is just the beginning.
To Conclude
Footprint is proud to be the only KYC/KYB vendor to leverage a combination of app clips and passkeys to ensure integrity in the initial verification and consistency in ensuring it is the same person creating n+1 accounts. These are some of the core tools to our approach to triple-binding identity and fulfill our mission of bringing trust to the internet.