This is a guest blog post by Stephen Oh, Head of Global Sales, TrustKey.

With the pandemic, organizations have experienced an increase in hacking attacks, resulting in immense loss and damage for many businesses. One of the most effective ways to bolster cybersecurity defense is to change a log-in mechanism from using passwords to going passwordless. Microsoft, for example, recently announced a decision to let customers remove passwords from their system entirely.

The question is, which passwordless mechanism should one select among the many options available? The answer is simple: The hardware security key (the FIDO2 authenticator) is the most secure authentication method for modern-day corporate computing environments.

The biometric FIDO authenticator is a hardware security key that contains the user’s biometric information (fingerprint) as a user verification factor (“who you are”). Note that non-biometric FIDO authenticators use a PIN (“what you know”) as one of the factors.

TrustKey’s Biometric FIDO Authenticator

TrustKey’s biometric FIDO authenticators, G310 and G320, are the industry’s first security level-2 certified by the FIDO alliance. This means that TrustKey’s authenticators have a much more secure mechanism to protect the FIDO protocol and the user’s biometric data. TrustKey’s biometric FIDO authenticator is more straightforward to use than other non-biometric keys — scan the fingerprint and that’s it! It doesn’t need to remember a PIN or even require the user to type a PIN into the system for authentication.

In the Citrix Launchpad: Security event, Citrix shared how it’s addressing key security challenges through zero trust solutions that support simple, secure, and seamless access.

Citrix Workspace is built around delivering remarkable user experiences, simple and secure access, and convenience for employees. With Citrix’s end-to-end support for FIDO2, you can configure FIDO2 Security Keys based authentication to Citrix Workspace. And Citrix’s support for FIDO2 inside the virtual session means the same FIDO2 device used for authenticating into Citrix Workspace can be used inside the HDX session, as well. Additionally, PIV/x.509 can be used concurrently with FIDO2 within the Citrix Virtual Apps and Desktops session. This allows Citrix users to use multiple credential types in the same HDX session with the same smart card or FIDO2 key, helping organizations to adopt more modern passwordless authentication.

Our G310H and G320H FIDO2 security keys are validated on Citrix Workspace, Citrix Virtual Apps and Desktops, and Citrix Workspace App for Windows. You can find us in the Citrix Ready Marketplace and one of the few FIDO2 vendors featured in the Citrix Ready Workspace Security Program.

Check out the video below, where I chat with Citrix Ready team about the challenges of passwords and their complexity and the advantages of using our FIDO2 Security Keys, followed by a quick demo.

Security of Biometric Templates

Many customers often express that they are uncomfortable with biometric keys because they don’t know how their biometric templates (data) are handled. Unlike passwords or other credentials, the biometric data cannot be modified by the users at will. The biometric data indicate “who they are.”

Here is how the user’s biometric data are handled.

  • The biometric template, once created, is stored inside the security key, and never leaves the security key because the FIDO specification requires that the fingerprint data of the user shall not leave the device. During authentication, fingerprint matching or verification is performed inside the security key, and there is no transmitting sensitive data outside the security key.
  • The fingerprint template is stored securely inside the security key. As level-2 (L2) certified security keys, G310/G320 security keys perform all sensitive operations such as handling biometric templates inside the secure region called AROE (Allowed Restricted Operating Environments). The AROE protects all security operations from outside software attacks.
  • The fingerprint template is one of the most sensitive pieces of data stored inside the security key. Therefore, TrustKey’s security key encrypts the fingerprint templates before storing the data at the flash memory.

 Here is a simple diagram of how the sensitive data are stored.

The above diagram shows that sensitive data are encrypted using the AES engine and stored in flash memory. The cryptography key for AES called “Device Unique key (DUK)” is stored in a “secure storage” area, which is hidden from the outside world. A random number generator generates a DUK at manufacturing time. After the DUK writing, the connection between the secure storage and the external interface is disconnected. No more data writing into the secure storage is possible.

We take the biometric template handling request from our customers seriously and our products satisfy such demand using the secure storage mechanism.

Get Started with TrustKey and Citrix Workspace

TrustKey’s biometric keys provide the users with a simpler and easier authentication method with much better security. Once the user enrolls their fingerprints and register the key with a FIDO2 authenticator, the daily authentication and usage inside of Citrix Workspace is simple — just scan the fingerprint!

That’s it! You are now logged in.

Learn More

Check out all our Citrix Ready-validated FIDO2 Security Keys in the Citrix Ready Marketplace.