Passwordless login: the search for speed with security

Date posted
29 May 2019
Reading time
9 Minutes
Sean Devlin

Passwordless login: the search for speed with security

Originally Published on digitial.nhs.uk

I work as part of the team developing the NHS App, which allows the public to fulfil their healthcare needs from their smartphone or tablet.

However, due to the obviously sensitive nature of the information the app provides, security is paramount. Users are therefore required to go through multi-factor identifications when logging in.

Essentially, this means the following steps when accessing the app:

  • click to begin login
  • enter your username and password
  • wait for SMS text message
  • enter one-time password received
  • click to complete login

Listening to early app feedback, it was clear that this was becoming a real barrier for users. It was apparent that an alternative login method was required to simplify everyday access to the app.

We worked closely with NHS login, our identity verification system that enables patients to access their digital records and services, to look at potential solutions with the ultimate goal of providing passwordless login for our users.

Working out user identity

As we were NHS login's first consumer, it was important that something was designed to an open and reusable standard that would allow other services to integrate.

The selected plan was to introduce biometric login. Biometric is a term that can make people slightly nervous. However, we do not store or even come into contact with any of the user's biometric identification; this is all handled by the device itself.

Together, we decided to implement the FIDO (Fast-Identity Online) UAF (Universal Authentication Framework) protocol.

The protocol, based on public key cryptography, defines three operations for users:

Registration - allows an already logged in user to enrol their device.
Authentication - allows the user to log in from their registered device by performing the selected authentication method e.g. entering their fingerprint.
Deregistration - allows the user to remove the login from their device.

In very basic terms, a private key is stored on the user's device and is only accessible when they enter their fingerprint or use facial recognition (more on that later). This private key is then used to sign requests sent to the FIDO server, which authenticates the user and allows them to sign in without the need for a password.

In 2019, it would be irresponsible to talk about FIDO and passwordless login without mentioning WebAuthn. WebAuthn is a World Wide Web Consortium (W3C) based on the latest rendition of the FIDO standard and set to become the new benchmark for passwordless authentication in the web. At the time of implementation, it was decided not to use WebAuthn due to the limited browser support (especially mobile). However, this will definitely be considered in the future as this is rapidly increasing.

Facing-up to IOS and Android challenges

The NHS App is currently available for both iOS and Android. Implementing passwordless login provided challenges for both.

With iOS, there are a limited number of different devices - TouchID and FaceID are offered based on the device type. So, we decided to develop and cater for both - helped by Apple, which provides a common interface.

Android is a little trickier on this front due to differences between the multiple manufacturers in terms of hardware and keystore (where encrypted secrets are kept). Although some Android models provide facial recognition, we decided to only cater for fingerprint recognition in our Android Implementation.

The NHS App supports Android versions back to Android M. Therefore, Android's introduction of a BiometricPrompt Application Programme Interface (API), which abstracts the recognition type from the developer, was not viable, as it is currently only compatible with Android P and above.

Client Credentials

Studying eBay's opensource FIDO UAF Android client acted as a starting position for us to implement passwordless login in our Android app, while NHS login developed their login server.

With iOS, we did not have the benefit of a sample implementation. The UAF messaging protocol is quite low level and requires bitwise operations and manipulation. Without an openly available client or Software Development Kit (SDK), we had to build from scratch. We used Apple's general purpose, multi-paradigm programming language Swift, following the specification line by line.

Storing and accessing the signing keys required for user authorisation was taken care of by using Apple's Secure Enclave.

We also created an internal UAF client to abstract the interactions with Secure Enclave and the FIDO server. We have plans to open source this in the future.

Biometric login screen
Login achieved using biometric identification

A footprint for passwordless login

Passwordless login into the NHS App is now live. We believe that our approach, including the quirks of the iOS and Android implementations, could form a useful high-level footprint for anyone looking to implement passwordless login in their app. Please get in touch with our team at nhsapp@nhs.net if you'd like to know more.

About the author

Sean Devlin