BioALeg - Enabling Biometric Authentication in Legacy Web Sites

Abstract

The authentication of users in legacy web sites via mobile devices is still a challenging problem. Users are required to provide passwords, introducing several vulnerabilities: since strong passwords are hard to memorize, users often use weak passwords that are easy to break, and passwords can be intercepted by malware and stolen. In this paper we propose a novel architecture, named BioALeg, to support secure biometric authentication on legacy websites. Our approach leverages the potential of a Secured Personal Device (SPD), a hardware add-on for mobile phones that is being developed in the context of the PCAS European project. The device offers biometric authentication and secure storage services. BioALeg uses this infrastructure, and a companion web site plugin, to support biometric authentication in legacy web sites that currently use username/password authentication. In order to perform authentication, the smartphone requests a One Time Password (OTP) to the service provider when the user tries to access the service using the SPD. Due to the architecture and implementation of the SPD, the OTP transfer only occurs after the owner of the phone and SPD is correctly authenticated using biometrics. The PCAS infrastructure guarantees that, after the biometric authentication, the user identity is valid and accepted by all components. BioALeg has been implemented as an Android service and integrated with legacy web sites.