In very basic terms, a private key is stored on the user’s device and is only accessible when they enter their fingerprint or use facial recognition (more on that later). This private key is then used to sign requests sent to the FIDO server, which authenticates the user and allows them to sign in without the need for a password.
In 2019, it would be irresponsible to talk about FIDO and passwordless login without mentioning WebAuthn. WebAuthn is a World Wide Web Consortium (W3C) based on the latest rendition of the FIDO standard and set to become the new benchmark for passwordless authentication in the web. At the time of implementation, it was decided not to use WebAuthn due to the limited browser support (especially mobile). However, this will definitely be considered in the future as this is rapidly increasing.
Facing-up to IOS and Android challenges
The NHS App is currently available for both iOS and Android. Implementing passwordless login provided challenges for both.
With iOS, there are a limited number of different devices - TouchID and FaceID are offered based on the device type. So, we decided to develop and cater for both - helped by Apple, which provides a common interface.
Android is a little trickier on this front due to differences between the multiple manufacturers in terms of hardware and keystore (where encrypted secrets are kept). Although some Android models provide facial recognition, we decided to only cater for fingerprint recognition in our Android Implementation.
The NHS App supports Android versions back to Android M. Therefore, Android’s introduction of a BiometricPrompt Application Programme Interface (API), which abstracts the recognition type from the developer, was not viable, as it is currently only compatible with Android P and above.
Studying eBay’s opensource FIDO UAF Android client acted as a starting position for us to implement passwordless login in our Android app, while NHS login developed their login server.
With iOS, we did not have the benefit of a sample implementation. The UAF messaging protocol is quite low level and requires bitwise operations and manipulation. Without an openly available client or Software Development Kit (SDK), we had to build from scratch. We used Apple’s general purpose, multi-paradigm programming language Swift, following the specification line by line.
Storing and accessing the signing keys required for user authorisation was taken care of by using Apple's Secure Enclave.
We also created an internal UAF client to abstract the interactions with Secure Enclave and the FIDO server. We have plans to open source this in the future.
Login achieved using biometric identification
A footprint for passwordless login
Passwordless login into the NHS App is now live. We believe that our approach, including the quirks of the iOS and Android implementations, could form a useful high-level footprint for anyone looking to implement passwordless login in their app. Please get in touch with our team at firstname.lastname@example.org if you’d like to know more.