Passwordless login: the search for speed with security
The NHS App aims to allow the public to fulfil their healthcare needs at the touch of a button. However, a security-conscious, multi-factor authentication login process proved a major ‘speed bump’ for users. Sean Devlin, a Tech Lead on the NHS App discusses how his team and their counterparts in NHS login worked together to allow people to login without passwords.
By Sean Devlin. 21 May 2019
I work as part of the team developing the NHS App, which allows the public to fulfil their healthcare needs from their smartphone or tablet.
However, due to the obviously sensitive nature of the information the app provides, security is paramount. Users are therefore required to go through multi-factor identifications when logging in.
Essentially, this means the following steps when accessing the app:
click to begin login
enter your username and password
wait for SMS text message
enter one-time password received
click to complete login
Listening to early app feedback, it was clear that this was becoming a real barrier for users. It was apparent that an alternative login method was required to simplify everyday access to the app.
We worked closely with NHS login, our identity verification system that enables patients to access their digital records and services, to look at potential solutions with the ultimate goal of providing password-less login for our users.
Working out user identity
As we were NHS login's first consumer, it was important that something was designed to an open and reusable standard that would allow other services to integrate.
The selected plan was to introduce biometric login. Biometric is a term that can make people slightly nervous. However, we do not store or even come into contact with any of the user's biometric identification; this is all handled by the device itself.
The protocol, based on public key cryptography, defines three operations for users:
Registration - allows an already logged in user to enrol their device.
Authentication - allows the user to log in from their registered device by performing the selected authentication method e.g. entering their fingerprint.
Deregistration - allows the user to remove the login from their device.
In very basic terms, a private key is stored on the user’s device and is only accessible when they enter their fingerprint or use facial recognition (more on that later). This private key is then used to sign requests sent to the FIDO server, which authenticates the user and allows them to sign in without the need for a password.
In 2019, it would be irresponsible to talk about FIDO and passwordless login without mentioning WebAuthn. WebAuthn is a World Wide Web Consortium (W3C) based on the latest rendition of the FIDO standard and set to become the new benchmark for passwordless authentication in the web. At the time of implementation, it was decided not to use WebAuthn due to the limited browser support (especially mobile). However, this will definitely be considered in the future as this is rapidly increasing.
Facing-up to IOS and Android challenges
The NHS App is currently available for both iOS and Android. Implementing passwordless login provided challenges for both.
With iOS, there are a limited number of different devices - TouchID and FaceID are offered based on the device type. So, we decided to develop and cater for both - helped by Apple, which provides a common interface.
Android is a little trickier on this front due to differences between the multiple manufacturers in terms of hardware and keystore (where encrypted secrets are kept). Although some Android models provide facial recognition, we decided to only cater for fingerprint recognition in our Android Implementation.
The NHS App supports Android versions back to Android M. Therefore, Android’s introduction of a BiometricPrompt Application Programme Interface (API), which abstracts the recognition type from the developer, was not viable, as it is currently only compatible with Android P and above.
With iOS, we did not have the benefit of a sample implementation. The UAF messaging protocol is quite low level and requires bitwise operations and manipulation. Without an openly available client or Software Development Kit (SDK), we had to build from scratch. We used Apple’s general purpose, multi-paradigm programming language Swift, following the specification line by line.
Storing and accessing the signing keys required for user authorisation was taken care of by using Apple's Secure Enclave.
We also created an internal UAF client to abstract the interactions with Secure Enclave and the FIDO server. We have plans to open source this in the future.
Login achieved using biometric identification
A footprint for passwordless login
Passwordless login into the NHS App is now live. We believe that our approach, including the quirks of the iOS and Android implementations, could form a useful high-level footprint for anyone looking to implement passwordless login in their app. Please get in touch with our team at email@example.com if you’d like to know more.