Skip to content

Biometric and FIDO2 Access

Overview

Biometric and FIDO2 Access offers secure, passwordless authentication for accessing users’ UnoLock Safes, utilizing biometric data (e.g., fingerprints, facial recognition) and FIDO2 hardware tokens. This feature enhances both security and convenience, reducing reliance on traditional passwords, which are vulnerable to theft or hacking. The use of strong, cryptographic-based authentication methods minimizes the risks associated with phishing and password attacks.

How It Works

  • Biometric Authentication: Users can unlock their Safes using biometric data such as fingerprints or facial recognition. This data is securely stored and processed locally on the user’s device, ensuring privacy and security.
  • FIDO2 Authentication: FIDO2 is an open authentication standard that uses public-key cryptography to enable secure, passwordless access. Users authenticate using a FIDO2 hardware token (e.g., YubiKey) or a biometric device that supports WebAuthn (the web authentication protocol).
  • Public-Private Key Pair: During the registration process, a public-private key pair is generated. The private key is stored on the hardware token or biometric device, while the public key is registered with UnoLock. During authentication, the device signs a challenge using the private key, and the signature is verified with the public key, granting access without transmitting sensitive information.
  • Primary Authentication Model: In UnoLock, WebAuthn-based access keys are the primary authentication factor for Safe access. Users can register more than one authenticator for continuity and recovery, but WebAuthn itself is not treated as a secondary factor.

Security Implications

  • Passwordless Security: Passwordless login eliminates the risks associated with weak or stolen passwords. Since authentication is based on public-key cryptography, FIDO2 is inherently resistant to phishing, credential stuffing, and replay attacks.
  • Local Biometric Data Processing: Biometric data never leaves the user’s device, as all authentication occurs locally. This means that UnoLock never sees or stores biometric information, ensuring user privacy.
  • Resistance to Phishing Attacks: FIDO2 protects against phishing by verifying the origin of the login request, ensuring that authentication only occurs on legitimate websites or applications.

Device Assurance Information

UnoLock can show device assurance information for WebAuthn-based access keys in the key-management UI.

This information can include:

  • the reported registration scheme
  • the reported authenticator attachment type
  • the reported transport information
  • basic registration metadata recorded by the client

This information is:

  • reported by the client that registered the key
  • helpful for the Safe owner when reviewing their registered authenticators

This information is not:

  • independently verified by UnoLock
  • proof that a particular device or authenticator is trustworthy

Treat the assurance view as client-reported security context, not as an authoritative certification.

Use Cases

  • High-Security Access: Users who handle sensitive data or financial assets can use biometric or FIDO2 authentication for more secure Safe access.
  • Convenience for Daily Use: Individuals looking for both convenience and security can quickly access their Safe without relying on passwords, reducing login friction while maintaining high security.
  • Enterprise and Business: Organizations can implement FIDO2 authentication to secure employee access to company Safes, reducing the risks of password theft and improving overall access management.

Why It Matters

Passwords are a common target for cyberattacks and are often the weakest link in account security. By replacing passwords with biometric and FIDO2 authentication, UnoLock provides stronger protection for user Safes, making them highly resistant to attacks such as phishing, brute force, and credential theft. This feature enhances both security and user experience, aligning with UnoLock’s commitment to robust, user-centric privacy solutions.

FAQs

How does FIDO2 authentication improve security?

FIDO2 uses public-key cryptography, meaning only the private key stored on your device can authenticate a login attempt. Since no passwords are involved, it prevents phishing, credential stuffing, and man-in-the-middle attacks.

Can UnoLock access my biometric data?

No, biometric data is processed locally on your device and never transmitted to or stored by UnoLock.

What happens if I lose my FIDO2 hardware token?

If you lose one authenticator, access should continue through another registered access key or configured recovery method rather than relying on a single device.

What does the Device Assurance view mean for a passkey or hardware key?

It shows registration and device details reported by the client that registered that key. It is useful context for the Safe owner, but UnoLock does not independently verify those claims.

Compliance & Privacy Regulations

  • GDPR & HIPAA Compliance: By using local biometric processing and secure FIDO2 authentication, UnoLock ensures compliance with data privacy regulations, protecting user data and minimizing exposure to potential breaches.

Integration with Other Features

  • End-to-End Encryption (E2EE): Biometric and FIDO2 Access work alongside E2EE to ensure that Safe access is secured and encrypted, providing comprehensive protection from login to data retrieval.
  • Access Keys & Safe Access: Users can register multiple passkeys, phones, or hardware authenticators to access the same Safe from different devices while maintaining the same strong security protocols.