NuMicro® M2351 applications|Smart Authentication – USB FIDO Key

Nuvoton Microcontroller Application Business Group Technology Manager – Robert Ling

What is FIDO (Fast Identity Online)?

First, let’s look at what FIDO is. Based on the literal letters, we can easily guess that it is a method related to network authentication. Indeed, since traditional information systems keep having problems with password authentication whether it is insufficient security, stolen account, difficult to remember passwords or inconvenient usage, etc., users kept complaining about it. Plus, with the emerging of the internet, more and more network connections require safer and faster network identity identification technologies; therefore, the FIDO standard began formulating in 2012 by the FIDO Alliance, which composed on several large companies such as PayPal, Nok Nok Labs, and Lenovo. Many other major companies in the information and communication industry such as Google, Alibaba, Intel and Qualcomm, even the payment industry such as Visa and American Express and over two hundred companies and agencies have also joined in recent years, striving on promoting password-less, safe and easy network authentication methods suitable for solving identification authentication issues for any public or private cloud networks.


Image source: FIDO Alliance

From the figure above, we can see that the FIDO authentication mechanism includes local authentication devices and remote server equipment; different from the password authentication method of traditional network services, FIDO authentication does not send password information through the network. This method separated “verification” and “identification”; local user terminals require authenticators to work together, which can be smartphones, USB Key, smart cards or devices that are secure enough to store personal identification authentication data. Public key infrastructure is used to perform transmission of the authentication result data, and the remote server will determine whether it is a legal network access request based on the authentication results sent over. Such practices have the following features:

  1. The server terminal does not need to store passwords or private keys, so there is no problem of sharing personal secrets. Personal information will not be leaked even if the server was hacked; for example, cases in recent years where data of large websites were stolen, such as Facebook.
  2. Then authentication protocol of FIDO mainly hopes to create non-password input identification confirmation practice open standards; therefore, the combination of biometric identification, dual-authentication or second factor/multi-factors will become easier to realize.

Under the future development trend of FIDO, we believe there will be more related authentication methods will be developed, especially the use of personal portable authentication devices.

NuMicro® M2351 USB FIDO Key Reference Design

After the previous background explanation, let’s first take a look at the smart authentication proposed by Nuvoton-The reference design of USB FIDO Key is as follows:

FIDO key diagram

Since M2351 is based on the Armv8-M TrustZone® architecture, we recommend placing ID authentication related programs in the secure world such as programs connected to fingerprint sensors, smart cards, micro SD cards or wireless transmission connection interfaces read as NFC cards. Non-authentication related programs can be placed in the non-secure world after development, for example, the USB interface used to connect to the PC/Notebook terminal to transmit data or supply power (of course based on usage needs, the USB can also be planned as a resource controlled by the secure world). Such a solution provides the following benefits:

  1. It is the best FIDO terminal device design platform that has diverse functions while being secure. For example, traditional companies or agencies mostly used ID cards to manage and control personnel access, and they have other authentication methods for network access such as using USB dongle/U-Key or similar products; not only can the cards be easily stolen and used, having to enter passwords for the U-Key is also very troublesome. An integrated device can realize a more secure and convenient office resource accessing methods.
  2. It is a reference design solution with competitiveness for cost. Traditional universal microcontrollers do not have the TrustZone configuration, and their support for data encryption is not very complete; they also didn’t use related practices for software IP protection. Traditional safety microcontrollers were mostly designed based on smart cards and the peripherals devices supported and the computation ability of the device itself was very limited; so multi-factor authentication practices (in order to achieve password-less) were difficult to realize. M2351 uses TrustZone with XOM (eXecute-Only-Memory); it is currently the only microprocessor in the industry that realized a secure combination method to protect software IP. With the help of the flash memory access protection technology, security protection can be achieved both internally (CPU operation) and externally (debugging and burning operations).  In certain closed private cloud systems, secure elements don’t even need to be added. If the smart card security level is really required, ISO-7816 can be used to read smart cards, SD cards or security IC secure elements. Also, the outstanding performance and energy-saving operations of M2351 can provide faster fingerprint sensor identification performance. Take the fingerprint sensor from the company SunASICTM for example, it can provide four resolution 120×120, 160×160, 176×176, 192×192 capacitive sensor with less than one second of successful identification rate.
  3. It is a platform suitable for creating secondary development business modes. Since not every company specializes in network security and peripheral sensors, through this platform companies with certain technologies can develop core FIDO development kits and allow companies with sales channels or final product production needs to complete the final software design, product design, and production once both parties have coordinated how to perform software connection. Not only does this protect the security of the core software, but it also allows FIDO terminal devices to quickly become popular for the general public to use.

Descriptions on Values and Security Levels of M2351 USB FIDO Key Secondary Development Business Model

As the intellectualization level of products becomes deeper, software running on the microcontrollers are also becoming more complex and requires more R&D time. For example, precise and fast fingerprint identification algorithms and software can help consumers have better user experiences with FIDO authentication devices that include fingerprint sensors; for example, eliminating the need to enter passwords. However, good fingerprint identification software cannot be easily developed within a short time; and this is why product developers usually need to seek help from software vendors to provide solutions and reduce development time. Such industrial trends allowed the emerging of secondary development business modes, and this is when two developers collaborate and work on one product: one provides software and algorithms with specific functions, and the other focuses on the development of terminal application products.

As for the concerns on security levels, we think the application of FIDO authentication should be very diverse in the future; so we think there will be many different types of FIDO authentication devices will be manufactured. The security of certificate storage for local personal ID authentication should have high levels of security requirements. If it is used with biometric identification such as fingerprint authentication, fingerprint related data must also be placed in the secure world. So we still think it is necessary to remind readers that the connecting of smart cards (such as SIM card), SD card or security IC (secure element and security chips), etc. can increase security strength; for this type of fast and high security FIDO authentication demands, the safety specifications of NuMicro® M2351 would work best with SIM cards, SD cards and security chips and will be very economic combinations. For example, the cost of Sim cards in China is already less than RMB $1; this can also open other business opportunities for traditional SIM card software developers.