Amazon, your in-home delivery app’s new authentication is not safe

by Perry Chaffee, on Fri 13 April 2018

Sure, Amazon’s in-home delivery app might be convenient, but let’s get to the point: it’s not secure. At all. Let’s explore why and how quality trumps quantity when it comes to multi-factor authentication (MFA) and two-factor authentication (2FA).

The situation:

When Amazon debuted Amazon Key, its in-home delivery app, in October 2017, it gave users the ability to watch activity in their home and grant remote access to their home’s smart lock. However, the new product raised big questions with consumers like, how will customers know when it’s okay to unlock their doors for a stranger? And, will the benefit of having your packages delivered quickly and securely outweigh any privacy and security concerns? To echo TechCrunch’s argument, “given that the app essentially controls who gets in and out of your home, it would be problematic if your phone got into the hands of someone malicious.”

Problematic is a nice way of saying catastrophic.

After much public criticism, it makes sense the company would implement 2FA to its Amazon Key app for an additional layer of security. This is where Amazon failed.

The truth behind biometrics as a first authentication factor:

Using biometrics as a first authentication factor sounds great, but it actually opens up more vulnerabilities. The reality is, Amazon is applying a Band-Aid to fix its security issue. We all know passwords and usernames are inconvenient and annoying.

To protect consumers and their data, companies need to switch the login process from “something you know,” such as human readable credentials (HRC), to “something you have,” such as a smartcard ID or USB keyset.

The fingerprint biometrics that Amazon adopted is exciting and new, but how can companies with millions of customers balance flexibility and convenience with security? While biometrics makes a great additional verification factor, it’s terrible when used incorrectly in the initial identification stage of the authentication process.

For that first step, it should always use something a consumer has, followed by something (only) that same consumer knows. Additionally, the method that’s used to unlock a consumer’s device should be different than the method used to unlock sensitive features of the device. For example, if consumers unlock it with a PIN, consumers should use a different PIN to unlock sensitive features and apps.

While we appreciate Amazon for taking a step in the right direction to protect its customers, they should have thought of these situations before the Amazon Key was made available to the public. It’s Amazon’s responsibility – their Duty of Care – to their most loyal customers.

So, what can companies do?

Enterprises can transition to secure, simple multi-factor authentication using WWPass and couple it with the biometric security features built into their customers’ phones. With the free PassKey mobile app, customers can safely use fingerprints or biometrics for authentication and companies can keep their business secure.

Keep your customers and their data safe.