An account acts as an indispensable network access credential for everyone in this digital world. It is associated with a user's digital assets and privacy, and even affects the security of their physical assets.
How to ensure user account security has become a focal point that challenges developers, and that process is known as identity verification, which plays an important part in account security.
Account hacking happens all the time and often comes with bad consequences. A leaked bank account password can lead to significant economic losses. A hacker tends to clear all paid props of the account holder after they break into a game account. In social media, however, a prankster steals accounts to make offensive comments for fun, without specifically aiming to benefit financially.
Convenient sign-in methods have made signing into an app even easier, but this could also leave user accounts vulnerable to malicious people who cause harm or obtain illegal benefits. An essential cause of account hacking is that some authentication methods are overly simple.
In conventional account name plus password login scenarios, once the password is disclosed, the account can be signed in to by anyone. So, how can we cope with this problem?
The answer is two-factor authentication. This authentication method addresses the vulnerabilities during user identity verification and strengthens user account security.
What Is Two-Factor Authentication?
Two-factor authentication is a system that utilizes the time synchronization technology. It uses a one-time password generated based on time, event, and key to replace traditional static passwords.
More specifically, in addition to the combination of the account name and password, a layer of security authentication, that is, dynamic verification code, is added to verify user identity and ensure sign-in security. This authentication method is called two-step authentication or multi-factor authentication.
The verification code generated each time varies according to the variables used for each authentication. Because the verification code changes with each use and is unpredictable, it ensures sign-in security in the basic password authentication phase.
Two-factor authentication is applicable to a wide range of scenarios. Generally speaking, this authentication method can be adopted as long as a static password is available.
Nowadays, two-factor authentication has been used in multiple fields, including the U key for online banking and SMS verification code. Along with the finance field, the "account name+password+dynamic password" authentication mode has been utilized by websites and apps to cut security risks and protect users' digital assets and privacy in social networking, media, and more. Currently, the devices and technologies for two-factor authentication are mature. The two-factor authentication solution consists of three parts:
Authentication device (token), agent software, and management server.
The authentication agent software functions between terminal users and network resources to be protected. When a user wants to access a resource, the authentication agent software sends the request to the management server for authentication.
To ensure the operability of two-factor authentication, the management server that receives and verifies two-factor authentication requests must be highly reliable and secure, support multiple two-factor authentication devices, and can be easily integrated with enterprise IT infrastructure which includes front-end network devices and service systems and back-end account systems, such as Active Directory (AD) and Lightweight Directory Access Protocol (LDAP).
For independent developers and small and medium-sized enterprises, two-factor authentication is necessary for ensuring the security and reliability of their data assets. As multiple account systems with two-factor authentication services have been released on the market, you can simply integrate one to free up investment in the R&D of agent software and management servers.
The two-factor authentication function of HMS Core Account Kit has been tested by numerous developers and the market, and has shown remarkable reliability. Not only that, Account Kit informs risks in real time and complies with the General Data Protection Regulation (GDPR) to raise the level of account security. Try out the kit for even safer and more convenient identity verification!
Learn more about Account Kit:
>> Documentation: overview and development guides of HMS Core on HUAWEI Developers
>> Open source repositories: HMS repositories on GitHub and Gitee
>> Forum: HUAWEI Developer Forum
Related
User identity authentication has changed with the times
From passwords, dynamic tokens, USB keys, and SMS verification codes,
To biometric data, such as fingerprints and facial recognition.
Optimal authentication must account for a myriad of factors
Including basic security capabilities, convenience, respect for user privacy, and legal compliance
HUAWEI FIDO provides a comprehensive authentication solution
Taking everything into account
What Is HUAWEI FIDO?
HUAWEI Fast Identity Online (FIDO) provides biometric authentication (BioAuthn) and online identity verification (FIDO2) capabilities, empowering developers to provide users with optimally secure, reliable, and convenient password-free identity verification.
Biometric Authentication (BioAuthn)
BioAuthn supports both 3D facial and fingerprint-based authentication, and uses the system integrity check result as a prerequisite. When a user initiates biometric authentication using BioAuthn on an insecure device, BioAuthn will identify that the device is insecure, and abort biometric authentication. BioAuthn also provides a key-based mechanism for verifying the authentication result, ensuring that it is highly-reliable.
Online Identity Verification (FIDO2)
FIDO2 provides developers with Android Java APIs that are fully compliant with the FIDO2 specifications. A mobile phone can be used as a FIDO2 client or a FIDO2 authenticator (otherwise called security key). When a user signs in to your app through another app or browser, they can use the fingerprint recognition hardware as a platform authenticator to complete fingerprint-based sign-in, without entering a password. This innovative solution avoids risks associated with passwords, and other security risks, such as credential stuffing attacks. When signing in to your app, or completing a payment on a PC, the user's mobile phone can serve as a roaming authenticator, which accelerates the identity authentication process.
Service Scenarios
Secure sign-in verification
Users can sign in to the app via fingerprint or facial recognition, without needing to enter a password.
Identity theft prevention
Users can complete in-app payments via fingerprint or facial recognition, without needing to enter a payment password, or incorporate multiple layers of security, and complete payments by entering a password and having their fingerprint of face identified.
FIDO security key authentication
Users can also complete identity authentication using the available FIDO security keys, over specific authentication protocols such as USB, NFC, and Bluetooth Low Energy (BLE).
Using a Huawei phone as a FIDO2 security key
Huawei phones can serve as FIDO security keys, freeing users from needing to carry an extra FIDO security key for an additional device.
How can I Integrate HUAWEI FIDO?
For guidance during the integration process, please refer to the HUAWEI Developers website, where you will find the integration guide and other resources for reference, or you can contact us through [email protected] for further technical assistance.
* HMS Core 4.0 courses produced by HUAWEI Developers are now available on Huawei official channels, including Video Center on HUAWEI Developers and HUAWEI Developer Forum.
Overview
Users have come to prioritize data security and privacy issues, in the wake of the full-scale digitalization of society, and have thus placed more stringent requirements on apps. To provide for top-notch security, many apps, in particular finance and payment apps, have incorporated biometric safeguards, such as fingerprint and 3D facial sign-in mechanisms. Fingerprint and 3D facial sign-in methods free users from the considerable hassle associated with repeatedly entering the account number, password, and verification code, delivering enhanced convenience alongside bolstered security.
You might have assumed that fingerprint and 3D sign-in are too costly or time-intensive to integrate into your app, but it’s actually remarkably easy. All you need to do is to integrate HMS Core FIDO into your app, and you'll be good to go!
What Is HMS Core FIDO2?
Fast Identity Online (FIDO) is an identity authentication framework protocol hosted by the FIDO Alliance. The FIDO Alliance, established in July 2012, has grown to encompass 251 members as of May 2019, including many of the leading vendors in the world. FIDO offers two series of technical specifications, UAF and U2F, and the launch of the FIDO 2.0 project represents a new era of enhanced identity authentication. To learn more about the members of the FIDO Alliance, please visit https://fidoalliance.org/members/.
Select FIDO Alliance Members
The FIDO specification aims to provide a universal, secure, and convenient technical solution for verifying online users' identities, under a multi-faceted, password-free model. It is applicable to a broad range of scenarios, including sign-in, transfer, and payment, in which the user identity needs to be verified. The FIDO2 specification outlines a powerful, comprehensive and versatile identity verification solution.
FIDO2 has three main application scenarios:
1) Fingerprint and 3D facial sign-in
2) Fingerprint and 3D facial transfer and payment
3) Two-factor authentication
This issue will address the first: fingerprint and 3D facial sign-in. Under this scenario, a user can sign in to an app through fingerprint or 3D facial authentication without entering a password, avoiding such risks as password leakage, and credential stuffing.
Demos
The videos below illustrate in detail how FIDO2 fingerprint and 3D facial sign-in are implemented.
(1) Fingerprint sign-in
(Video 1)
(2) 3D facial sign-in
(Video 2)
How Does HMS Core FIDO2 Work?
The FIDO specification outlines a technical framework for online identity verification. This framework encompasses the app and app server, as well as the FIDO authenticator, FIDO client, and FIDO server.
FIDO authenticator: A mechanism or device used for local authentication. FIDO authenticators are classified into platform authenticators and roaming authenticators. Authenticators are better known as security keys to end users.
- Platform authenticator: An authenticator integrated into a FIDO-enabled device, such as an authenticator based on the fingerprint recognition hardware in a mobile phone or laptop.
- Roaming authenticator: An authenticator connected to a FIDO-enabled device that uses Bluetooth, NFC, or a USB cable, such as an authenticator with a similar shape to a USB key, or a dynamic token.
FIDO client: A client integrated into the platform, such as Windows, MacOS, or Android with HMS Core (APK), that provides the SDK for apps; or a client integrated into browsers, such as Chrome, Firefox, or Huawei Browser, that provides JavaScript APIs for apps. The FIDO client serves as a bridge for the app in calling the FIDO server and FIDO authenticator to complete authentication.
FIDO server: A server that generates an authentication request in compliance with FIDO specifications. The request is sent to the app server when it needs to initiate FIDO authentication. Once the FIDO authenticator has completed local authentication, the FIDO server will receive a FIDO authentication response from the app server, and verify the response.
There are two major processes associated with the FIDO specification: registration and authentication. With regard to sign-in scenarios, the registration process involves enabling the fingerprint or 3D facial sign-in function, and the authentication process involves completing sign-in via fingerprint or 3D facial authentication.
During registration, the FIDO authenticator will generate a public-private key pair for the user, which is then used as the authentication credential. The private key is stored in the FIDO authenticator, while the public key is stored on the FIDO server. In addition, the FIDO server will associate the user with the authentication credential.
During authentication, the FIDO authenticator will add a signature to the challenge value using the private key, and the FIDO server will verify the signature using the public key. The user is deemed as valid if the signature passes the verification.
Preparations
Before integrating FIDO2, you will need to configure your app information in AppGallery Connect, Maven repository address, and obfuscation scripts. You will also need to add build dependencies on FIDO2. The sample is as follows:
implementation 'com.huawei.hms:fido-fido2:5.0.0.301'
Development
FIDO2 includes two operations: registration and authentication. The processes are similar for the two operations. Key steps and code are shown below:
1. Initialize a Fido2Client instance.
Fido2Client fido2Client = Fido2.getFido2Client(activity);
2. Call Fido2Client.getRegistrationIntent() to initiate registration, or call Fido2Client.getAuthenticationIntent() to initiate authentication.
Obtain the challenge value and related policy from the FIDO server, and initiate a request. (Only the FIDO client APIs are provided here. For details about the interaction with the FIDO server, please refer to related specifications and contact the FIDO server vendor to obtain the related API reference.)
Call Fido2Client.getRegistrationIntent() to initiate registration, or call Fido2Client.getAuthenticationIntent() to initiate authentication.
Call Fido2Intent.launchFido2Activity() in the callback to start registration (requestCode: Fido2Client.REGISTRATION_REQUEST) or authentication (requestCode: Fido2Client.AUTHENTICATION_REQUEST). The callback will be executed in the main thread.
fido2Client.getRegistrationIntent(registrationRequest, registrationOptions, new Fido2IntentCallback() {
@override
public void onSuccess(Fido2Intent fido2Intent) {
fido2Intent.launchFido2Activity(XXXActivity.this, Fido2Client.REGISTRATION_REQUEST);
}
@override
public void onFailure(int errorCode, CharSequence errString) {
Log.e("errorCode: "+ errorCode + ", errorMsg: " + errString);
}
});
3. Call getFido2RegistrationResponse() or Fido2Client.getFido2AuthenticationResponse() in the callback Activity.onActivityResult() to obtain the registration or authentication result.
Fido2RegistrationResponse fido2RegistrationResponse = fido2Client.getFido2RegistrationResponse(data);
4. Send the registration or authentication result to the FIDO server for verification.
(Only the FIDO client APIs are provided here. For details about the interaction with the FIDO server, please refer to related specifications and contact the FIDO server vendor to obtain the related API reference. Relevant code is omitted here.)
More
Relevant demos, sample code, and development documents are also available on the HUAWEI Developers website.
GitHub demo and sample code:
https://github.com/HMS-Core/hms-FIDO-demo-java
HUAWEI FIDO2 MOOC video:
https://developer.huawei.com/consumer/en/training/detail/101583008688294169
Development guide:
https://developer.huawei.com/consum...re-Guides-V5/introduction-0000001051069988-V5
API reference:
https://developer.huawei.com/consum...ferences-V5/fido2overview-0000001050176660-V5
Coming Next
The next issue will delve into custom development, authenticator selection policies, and UI customization for FIDO2, with revealing firsthand testimony. Stay tuned!
History of the Black Market
With the popularization of smartphones, black market tactics have shifted from controlling zombie computers for launching DDoS attacks and click farming on advertisements, to controlling Internet users in mobile service scenarios for monetization purposes. The rapid development of the Internet has made black market attacks adaptive to change and easy to replicate. As a result, attacks such as malicious registrations have been widely applied.
Today's apps need to continually invest in risk mitigation and security safeguards, in order to guard against automated malicious attacks from the black market.
Impact of Malicious Registrations
Malicious registration is the starting point for black market attacks. After registering various fake user accounts, attackers will seek to exploit these fake accounts to hunt for bonuses in e-commerce apps, wasting resources that are intended for genuine new users. The attackers may also use the accounts to undermine the user-generated content ecosystem via content spamming in social apps. These fake user accounts may also be exploited by malicious advertising agencies for ad traffic fraud, with the goal of extracting higher fees from advertisers. Fake users offer no real benefits to advertised apps. According to data from EverSafe Online, there are up to 8.3 million fake user attacks every day, most of which are concentrated in industries related to finance, e-commerce, and social networking.
Prevention of Malicious Registration Attacks
Attackers may implement malicious registrations through automated registration tools and user-based crowdsourcing platforms. For the former, if an app requires identity verification, a large number of malicious registration requests can be filtered out. For the latter, however, if registered accounts are resold after real users complete identity verification, it can be more difficult to identify and handle these violation accounts. Therefore, more accurate risk-related data analysis is required, which will result in higher operating costs.
HUAWEI Safety Detect: A Free Service, Open to All Developers
With regard to malicious attacks, it is crucial for apps to enhance their security capabilities, starting with the very beginning of the registration process. Safety Detect offers the UserDetect API, which helps apps check whether they are interacting with fake users via the real-time risk analysis engine. If a user is deemed suspicious or risky, they will be asked to perform a secondary verification to confirm the accuracy of detection.
Outside the Chinese mainland, Safety Detect provides users with a captcha-based verification code for secondary verification. In the Chinese mainland, the nocaptcha API on the cloud is used to obtain the user detection result. Users can proceed only after they have passed this secondary verification.
Safety Detect also provides apps with the SysIntegrity API to effectively identify fake users from simulators, enabling apps to prevent fake users from operating in Internet advertising channels. For more details, please refer to the case of Mei Ri Qing Li Da Shi.
Currently, a wide range of apps, including those in finance, e-commerce, video, and news apps, as well as browsers, have already integrated Safety Detect, and relied on it to improve risk identification and prevention capabilities. By equipping your app with Safety Detect, you can begin bolstering its security capabilities.
More cases:
l Risky URL detection
l Video security for video apps
l Credit card fraud prevention for electronic payment apps
l Reduction of malicious reviews on apps
l Enhanced app sign-in security
For more details, you can go to:
l Our official website
l Our Development Documentation page, to find the documents you need
l Reddit to join our developer discussion
l GitHub to download demos and sample codes
l Stack Overflow to solve any integration problems
Original source
Being the official app distribution platform for Huawei over the past nine years, AppGallery provides a full-cycle security and protection system for security assurance throughout the app’s lifecycle.
The comprehensive security assurance system developed provides security assurance throughout the apps' lifecycle, including reviews of developers' qualifications, security checks before the apps' release, as well as periodic checks and user feedback tracking after their release.
As part of the comprehensive security assurance system, the four-layer protection creates a safety check at each step of the way to ensure the apps are free of malicious code, in order to ensure users are well protected against security vulnerabilities. These four security checks include malicious behaviour detection, security vulnerability scanning, privacy breach inspection, and manual recheck.
Exclusive quadruple detection ensures user privacy and security
All AppGallery apps need to pass a quadruple safety test to be eligible for release. AppGallery protects against malicious apps that may infringe user privacy or steal user property. Through careful selection and strict testing, AppGallery rejects apps that may pose security risks to users, providing users with a secure app acquisition experience.
The first of the four-layer protection includes malicious behaviour detection which focuses on detecting viruses, Trojan horses, malicious fee deduction, and malicious traffic consumption. To handle large numbers of app release requests, AppGallery uses SecDroid, a cloud-based automatic scanning platform that works with multiple well-known antivirus engines in the industry to detect viruses across Android packages (APKs). In addition, SecDroid uses sandbox-based dynamic execution technology and static feature analysis technology to detect and analyse sensitive behaviour, such as malicious billing, excessive traffic consumption, and malicious tampering of personal information.
The second layer is security vulnerability scanning, which combines dynamic and static scanning for security vulnerabilities, greatly reducing the probability of vulnerabilities or backdoors in apps. The scan covers tens of analysis and detection aspects, including the security of components and data, excessive traffic consumption, insecure command execution, analysis of APKs for potential vulnerabilities, and more.
The third layer is the privacy breach inspection, which aims to prevent apps from invoking, collecting, transmitting, or using sensitive user data, such as the address book and photo library, without users' authorisation or disregarding existing legal grounds. Both static and dynamic privacy analysis covers security vulnerabilities such as detection of corruption and breach points, identifying common issues such as key leakage, dangerous functions, and insecure algorithms. Filter criteria (such as suffix and type) are then set for refined control over scanned objects to determine the exact match locations and contexts as well as highlight the matched contents.
The final check passes through the manual recheck phase, in which a dedicated security team tests the apps in real-world scenarios to ensure compatibility, safety, as well as reliability to ensure users have the best app experience before it is released on AppGallery.
Huawei ensures a safe, private and protected digital environment on AppGallery for users
Through AppGallery, Huawei aims to strictly protect users’ privacy and security while providing them with a unique and smart experience. Serving over 730 million Huawei end users in over 170 countries and regions, AppGallery is committed to ensuring consumers enjoy a safe, private and protected digital environment as they explore unique and smart app experiences on the platform.
According to AppGallery 2020 Annual Security Report, in 2020, Huawei App Market's exclusive quadruple detection handled more than 970,000 app release applications from more than 170 countries and regions worldwide, a year-on-year increase of 27%. The extensive review filtered out 33.20% of the total app reviewed, identifying problems such as lack of copyright qualification, delayed app versions, app function defect, unexpected app exits, as well as registration and login exceptions.
In the future, AppGallery will continue its efforts to enhance the overall app experiences launched on AppGallery by updating the technologies and mechanisms for remediating risky apps, providing users with secure and high-quality apps, protecting their privacy and property security, and working with industry partners to build a green and healthy app ecosystem.
For more information, please visit https://consumer.huawei.com/en/privacy/. You may also read the latest HMS Security Technical White Paper here.
Keyring is an all-new security kit in HMS Core that is used to store user credentials on their devices, where the credentials can be shared between different apps and versions of an app, creating a seamless sign-in experience between your Android apps, quick apps, and web apps.
Keyring provides you with capabilities that make user credential management a sheer breeze, helping ensure your service continuity, by obtaining, encrypting, storing, authorizing, sharing, querying, accessing, and deleting such credentials, as needed. Keyring also provides your apps with APIs for storing, accessing, and querying user credentials, for effortless credential sharing between multiple apps. It enables the user to sign in to an app by using the credentials from another already signed-in app, for seamless cross-app sign-in.
In addition, Keyring also obtains the user credential sharing relationship between apps, to ensure that you can freely share the user credentials to different platform versions of your app, for example, Android app, quick app, and web app versions, making cross-platform sign-in a viable reality. Thanks to this capability, you'll be able to handle users from different platforms with remarkable ease.
Keyring offers airtight security, easy integration, and broad compatibility. It encrypts user credentials in the TEE, and securely stores the encrypted credentials on the user device itself. You can even define the credential sharing relationship between different apps and different platform versions of an app, so that only authorized apps are able to obtain a set of credentials. You can also enable the mechanism for users to verify their identities via biometric features before they can use the shared credentials, to bolster sign-in security. The industry-leading security capabilities in Keyring can be integrated in just 2 person-days, making it an efficient and cost-effective solution. Better yet, the service is designed to meet the security requirements of a vast range of apps, including shopping, travel, social media, reading, and many other service scenarios.
Keyring resolves longstanding issues related to inefficient credential management and credential security risks. The cross-app credential sharing function in Keyring can entice users to use your apps, and the cross-platform sign-in function streamlines the user conversion path and sign-in process. In the future, Keyring will provide an even greater range of features and HMS Core will open even more capabilities in the security field, to help you craft the best possible user experience.