How biometric authentication works in Tangem Wallet

We continue to improve Tangem Wallet. You no longer need to tap your card to the phone to unlock the app. Now, you can check it securely in all your Tangem wallets without using a card or password. Simply place your finger on the fingerprint scanner or look into the camera if your phone supports Face ID.

The new app update with biometric authentication made the Tangem app even more convenient and gave you new possibilities regarding crypto management. But you may have doubts about the security of your biometric data. That's what we're going to discuss.

New Tangem App possibilities

The Tangem App now has "App Settings" with "Keep the wallet in the app" and "Save Access Code" options activated by default. This means:

  • All Tangem wallets (if you have more than one) are linked to the app, and the app unlocks with biometric authentication;
  • All encrypted card passwords are stored on the phone, and biometric authentication is used instead of a password when handling the cards.

You can deactivate these options If you want to work with the wallet the previous way.

Bottom line, you no longer need to tap the cards and enter an access code to:

  • log in to the Tangem app;
  • view balances of coins and tokens;
  • switch between wallets, if you have more than one.

You can easily add additional wallets to the Tangem app.

Or they will be added automatically. If you have only one wallet in the Tangem App, while in fact you have several Tangem wallets, then when you tap the second, third (and so on)  wallet to the phone, you will be asked to enter the access code. Then the second wallet will be automatically linked to the App. At the same time, access to the first wallet will be blocked. It can be unlocked using biometrics, if needed.

Attention! You still need to tap a Tangem card to sign a transaction.

Why biometric login is completely secure

Third-party apps such as the Tangem App, can use smartphone system interfaces to set up biometric authentication with fingerprint scanning or facial recognition.

Important! The Tangem app, just like any other app, can only check the authentication status, but DOES NOT ACCESS your biometric data.

Today, both Google's Android and Apple's iOS offer a high level of biometric security. Their technologies for securing biometric security are similar, however there are some different aspects.  

iOS Biometric Security

The main operating system of iOS devices does not store your biometric data. Secure Enclave was designed to isolate the sensitive info.

Secure Enclave is a secure subsystem isolated from the main processor to provide an extra layer of security and is designed to keep sensitive user data secure even when the Application Processor kernel becomes compromised.

For maximum isolation, the Secure Enclave coprocessor is used exclusively by the Secure Enclave subsystem. It updates autonomously. Its memory is encrypted with a unique key that is assigned at manufacturing time.

Moreover, your biometric info is stored as a non-reversible hash and not sent to iCloud or Apple's servers.

Touch ID

The Touch ID module is directly connected to the hardware and software of the device. Each module is configured at manufacturing time for a specific iPhone.  

Apple limits the effective time of the fingerprint scanner for extra security purposes:

  • Up to 48 hours if a phone has never been unlocked during that time;
  • Up to 8 hours if a user has never entered his or her password in the past 6 days.

Also, if you've turned off or restarted your iPhone, it will ask for a password the first time you log in, just as it does when you save a new fingerprint.

Face ID

Face ID uses the TrueDepth camera and machine learning technologies to recognize your face.

Face ID data—including mathematical representations of your face—is encrypted and protected with a key available only to the Secure Enclave.

Face ID matches against depth information, which isn’t found in photographs.  Face ID recognizes if your eyes are open and your attention is directed towards the device. This makes it more difficult for someone to unlock your device without your knowledge (such as when you are sleeping).

You must enter your passcode for additional security validation when:

  • The device has just been turned on or restarted.
  • The device hasn’t been unlocked for more than 48 hours.
  • The passcode hasn’t been used to unlock the device in the last six and a half days and Face ID hasn't unlocked the device in the last 4 hours.
  • The device has received a remote lock command.
  • After five unsuccessful attempts to match a face.
  • After initiating power off / Emergency SOS.

If your device is lost or stolen, you can prevent Face ID from being used to unlock your device by marking your device as lost in Find My.

Android Biometric Security

Android smartphones with versions newer than version 6.0 support fingerprint login.

Depending on the type of scanner, it can be located on the back of the smartphone, on the edge or at the bottom of the display.

Google sets a number of conditions for Android smartphone developers and manufacturers, failing to comply results in non-certification.  The main requirement is that the device has enforced data encryption, and:

  • Trusted Execution Environment (TEE) exclusively stores the biometric data;

TEE is an area on the main processor separated from the main operating system

  • 5 unsuccessful biometric login attempts add a 30-second pause after each new login attempt;
  • adding/removing fingerprints are confirmed by password or other authentication method.

Just as with Apple's Touch ID, your biometric data is stored on a separate processor with its own memory and operating system (Trusty OS). The data is not available to Google, Tangem app or other apps, not synchronized with different devices, and stored exclusively on the smartphone in an isolated secure area of the processor.

Trusty OS is a small but efficient OS running on TEE.

When registering a fingerprint, the sensor checks the scan data, and Trusty OS analyzes them inside the TEE, and then creates: 

  • encrypted fingerprint template;
  • validation data set.

The encrypted biometric template is stored in a special TEE area or in the encrypted storage of the smartphone. This data is practically non-retrievable and even if obtained, it is useless, as it is impossible to decipher it.

So, user biometric data protection on Android means:

  • Your biometrics in their original form are not saved anywhere, after the device receives your data, they are hashed and the resulting hash is placed in the TEE.
  • The fingerprint scanner and interface are located in the TEE.
  • Your biometrics are stored on the TEE exclusevly.
  • You cannot access the scanner hardware outside of TEE.
  • Trustlet provides scan results, but not scan data.

Trustlet is an app that runs on TEE. It is not an autonomous software component and designed for the sole purpose — fingerprinting. It has no value outside of the underlying app for which it runs.

So, the scheme of biometric authentication looks like this:

  • You open the Tangem App.
  • You try to log in with biometrics.
  • A smartphone launches Trustlet.
  • A fingerprint reader interface appears on top of the current screen.
  • Trustlet compares your fingerprint with the one scanned during the set up, and sends the results to the Tangem app.

Authorization successfully completed.

Conclusion

Apple and Google have taken serious care of the security of users’ biometric info. It is securely stored in special isolated, secure subsystems of mobile devices and not available. Therefore, logging into the Tangem App with biometric authentication is completely safe.