Users are overwhelmed by the increasingly esoteric requirements for strong passwords. Due to the difficulty of remembering many complicated and lengthy passwords, they reuse the same password across various accounts. Consequently, a security failure by one site facilitates unauthorized access to many user accounts. The damage from such unauthorized access is both costly to the enterprise and dissatisfying for the user.
Given a growing awareness of their vulnerability, users are gravitating toward biometric authentication as a convenient, secure, and modern way to authenticate their identity.
Certain Samsung devices can scan both fingerprints and the iris. Any enterprise partner that wishes to offer their customers the option to authenticate through biometric measurements can use the Samsung Pass SDK to enable this functionality in their customer-facing app.
Samsung Pass ensures security and privacy for enterprise partners and their users by compartmentalizing and distributing the authentication process as follows:
The device user registers their Samsung account when they activate a device. Registration creates an association between the user and the device but does so without requiring any interaction with Samsung Pass or an enterprise partner.
Developers embed Samsung Pass API in their customer-facing app which makes the app Samsung Pass enabled. The developers register the app in the Samsung Pass Cloud by providing completely generic information, such as a certificate chain with a public key.
The device user downloads and installs the app. Samsung Pass verifies that the app on the device matches the app that the developer registered in the Samsung Pass Cloud.
Samsung Pass and the enterprise independently generate, exchange, and store credentials which verify the authenticity of the user, the app, and the device.
The benefit of this strategy is that the Samsung Pass components required to achieve security are generated by different parties and stored in unrelated facilities: the device, the Samsung Pass Cloud, the enterprise servers.
If any one of these facilities gets compromised, the encrypted and partial information is useless without the complimentary pieces which are still secure in the other facilities.