Biometric Authentication Security Architecture

Security Model Overview

The PVPipe Biometric Authentication system implements a multi-layered security approach designed for enterprise environments with strict Vietnamese regulatory compliance requirements.

Core Security Principles

1. Zero Trust Architecture

  • No implicit trust based on network location
  • Every request must be authenticated and authorized
  • Device identity verification for all biometric operations
  • Session-based trust with continuous validation

2. Defense in Depth

  • Multiple security layers to prevent single points of failure
  • Field-level encryption for sensitive data
  • Network-level security controls
  • Application-level input validation
  • Database-level access controls

3. Principle of Least Privilege

  • Minimal token scopes for specific operations
  • Device-specific token binding
  • Time-limited session validity
  • Role-based access control integration

Cryptographic Architecture

Key Management Hierarchy

Root Trust
├── JWT Signing Key (HS256)
│   ├── Access Tokens (15min-8h)
│   ├── Refresh Tokens (3-30 days)
│   └── Action Confirmation Tokens (5min)
├── Field Encryption Key (AES-256-GCM)
│   ├── Public Key Encryption
│   ├── Sensitive Payload Encryption
│   └── Audit Data Encryption
└── Device Keys (ES256/RS256/PS256)
    ├── Device Public Keys (stored encrypted)
    ├── Challenge Signatures
    └── Confirmation Signatures

Cryptographic Standards

Component Algorithm Key Size Notes
JWT Signing HMAC-SHA256 256 bits Symmetric key for all tokens
Field Encryption AES-256-GCM 256 bits Derived from JWT secret
Device Signatures ES256 256 bits Recommended for mobile
Device Signatures RS256/PS256 2048+ bits Legacy support
Challenge Generation CSPRNG 512 bits High entropy challenges
Nonce Generation CSPRNG 256 bits Replay attack prevention

Signature Verification Process

Data Protection Architecture

Field-Level Encryption

Sensitive fields are encrypted using AES-256-GCM with the following properties:

  • Encryption Key: Derived from JWT secret using PBKDF2
  • Nonce: 96-bit random value per encryption
  • Authentication Tag: 128-bit GCM tag
  • Additional Data: Field name and table context
type EncryptedField struct {
    Ciphertext []byte `json:"ciphertext"`
    Nonce      []byte `json:"nonce"`
    Tag        []byte `json:"tag"`
    AAD        string `json:"aad"`
}

Encrypted Data Fields

Table Field Purpose
registered_devices public_key Device public key storage
confirmation_sessions action_payload Sensitive action data
audit_logs details Security event details

Data Flow Security

┌─────────────────┐    Encrypted    ┌──────────────────┐
│   Client App    │◄──────────────► │   API Gateway    │
└─────────────────┘     (TLS 1.3)   └──────────────────┘
                                           │
                                    Field Encryption
                                           │
                                           ▼
                                    ┌──────────────────┐
                                    │   Application    │
                                    │     Server       │
                                    └──────────────────┘
                                           │
                                    Connection Encryption
                                           │
                                           ▼
                                    ┌──────────────────┐
                                    │   PostgreSQL     │
                                    │    Database      │
                                    └──────────────────┘

Token Security Architecture

Token Types and Trust Levels

1. Standard Tokens

  • Access: Web-based operations, 8-hour lifetime
  • Refresh: Token renewal, 3-30 day lifetime
  • Trust Level: Medium (username/password authentication)

2. Biometric Tokens

  • Access: Mobile operations, 15-minute lifetime
  • Refresh: Mobile token renewal, 30-day lifetime
  • Trust Level: High (biometric + device binding)
  • Device Binding: Cannot be used from different devices

3. Action Confirmation Tokens

  • Purpose: Single-use action approval
  • Lifetime: 5 minutes maximum
  • Nonce: Unique per token for replay protection
  • Trust Level: Very High (biometric + action context)

Token Security Features

Device Binding

{
  "device_id": "uuid-of-registered-device",
  "auth_method": "biometric",
  "trust_level": "high",
  "device_fingerprint_hash": "sha256-hash"
}

Token Family Rotation

{
  "token_family": "device_20250802150405",
  "rotation_count": 3,
  "max_rotations": 100
}

Single-Use Tokens

{
  "single_use": true,
  "nonce": "cryptographic-nonce",
  "action_hash": "sha256-of-action-payload"
}

Audit and Compliance Architecture

Audit Event Categories

Category Events Retention
Authentication Login, logout, token refresh 2 years
Device Management Registration, deletion, FCM updates 5 years
Action Confirmation Initiation, approval, rejection 7 years
Security Events Failed auth, suspicious activity 10 years
System Events Service start/stop, config changes 1 year

Audit Data Structure

{
  "id": "uuid",
  "timestamp": "2025-08-02T15:30:00.000Z",
  "event_type": "biometric_login",
  "severity": "info",
  "user_id": 12345,
  "device_id": "device-uuid",
  "ip_address": "192.168.1.100",
  "user_agent": "PVPipe-Mobile/1.2.0",
  "success": true,
  "error_message": null,
  "details": {
    "auth_method": "fingerprint",
    "trust_level": "high",
    "session_duration": 900
  }
}

Vietnamese Compliance Features

Legal Requirements Met

  • Digital Signature Law: Audit trail requirements
  • Cybersecurity Law: Data protection measures
  • Enterprise Law: Financial transaction controls
  • Privacy Protection: Personal data handling

Compliance Controls

  • Immutable audit logs
  • Digital signature verification
  • User consent tracking
  • Data retention policies
  • Cross-border data restrictions

Network Security Architecture

API Gateway Security

Internet ──► [WAF] ──► [Load Balancer] ──► [API Gateway] ──► [ms-auth]
              │            │                   │               │
              │            │                   │               │
        DDoS Protection   SSL Termination   Rate Limiting   Authentication
        SQL Injection     Health Checks    Circuit Breaker  Authorization
        XSS Protection    Failover         Request Logging   Input Validation

Security Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src 'self'
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin

Rate Limiting Strategy

Endpoint Category Rate Limit Burst Window
Authentication 10/min 20 1 hour
Device Registration 5/min 10 15 min
Confirmation 20/min 50 1 hour
Device Management 30/min 60 1 hour
Health Checks 100/min 200 1 min

Security Monitoring Architecture

Real-time Monitoring

┌─────────────────┐    Events     ┌──────────────────┐
│   Application   │──────────────►│   Audit Service  │
│     Logs        │               │                  │
└─────────────────┘               └──────────────────┘
                                           │
                                    Structured Logs
                                           │
                                           ▼
                                    ┌──────────────────┐
                                    │    Log Store     │
                                    │   (Database)     │
                                    └──────────────────┘
                                           │
                                    Analysis Queries
                                           │
                                           ▼
                                    ┌──────────────────┐
                                    │   Monitoring     │
                                    │    Dashboard     │
                                    └──────────────────┘

Security Alerts

Automated Alerts

  • Multiple failed authentication attempts
  • Unusual device registration patterns
  • High-value action confirmations
  • Service availability issues
  • Database connection failures

Alert Thresholds

authentication_failures:
  threshold: 5
  window: 15m
  action: temporary_block

device_registrations:
  threshold: 10
  window: 1h
  action: manual_review

confirmation_rejections:
  threshold: 3
  window: 30m
  action: security_review

Threat Model and Mitigations

Identified Threats

1. Man-in-the-Middle Attacks

Threat: Interception of authentication data Mitigations:

  • TLS 1.3 encryption for all communications
  • Certificate pinning in mobile applications
  • HSTS headers for web applications
  • Public key cryptography for challenge-response

2. Replay Attacks

Threat: Reuse of captured authentication data Mitigations:

  • Time-limited challenges (2-5 minutes)
  • Cryptographic nonces in tokens
  • Single-use confirmation tokens
  • Sequence number validation

3. Device Compromise

Threat: Malicious access to registered device Mitigations:

  • Hardware security module storage
  • Biometric requirement for key usage
  • Device attestation (future)
  • Remote device revocation

4. Token Theft

Threat: Stolen or leaked authentication tokens Mitigations:

  • Short-lived access tokens (15 minutes)
  • Device binding for biometric tokens
  • Token family rotation
  • Revocation capabilities

5. Database Compromise

Threat: Unauthorized database access Mitigations:

  • Field-level encryption for sensitive data
  • Database access controls
  • Connection encryption
  • Audit logging for all access

6. Social Engineering

Threat: Manipulation of users or administrators Mitigations:

  • Multi-factor authentication requirements
  • Approval workflows for sensitive actions
  • Security awareness training
  • Audit trails for administrative actions

Security Controls Matrix

Threat Category Preventive Detective Corrective
Authentication MFA, Biometrics Failed login monitoring Account lockout
Authorization RBAC, Token scopes Privilege escalation detection Permission revocation
Data Protection Encryption, Access controls Data access monitoring Incident response
Network Firewalls, TLS Traffic analysis Network isolation
Application Input validation, SAST Vulnerability scanning Patch management

Incident Response Architecture

Security Incident Classification

Level Description Response Time Escalation
Critical Service compromise, data breach 15 minutes CISO, Management
High Security control failure 1 hour Security team
Medium Suspicious activity detected 4 hours Operations team
Low Policy violations 1 day System administrator

Automated Response Actions

incident_responses:
  multiple_auth_failures:
    trigger: failed_attempts > 5 in 15m
    actions:
      - block_ip_address
      - alert_security_team
      - log_incident
  
  unusual_device_activity:
    trigger: new_device_registrations > 10 in 1h
    actions:
      - require_manual_approval
      - notify_administrators
      - increase_monitoring
  
  token_anomalies:
    trigger: token_usage_pattern_anomaly
    actions:
      - revoke_suspicious_tokens
      - force_re_authentication
      - security_investigation

Recovery Procedures

Token Compromise Response

  1. Identify compromised token families
  2. Revoke all tokens in affected families
  3. Force re-authentication for affected users
  4. Audit access logs for unauthorized activity
  5. Update security controls to prevent recurrence

Database Compromise Response

  1. Isolate database server
  2. Assess scope of data access
  3. Rotate encryption keys
  4. Re-encrypt sensitive fields
  5. Implement additional monitoring
  6. Notify affected users and authorities

Security Best Practices

Development Security

Secure Coding Practices

  • Input validation on all boundaries
  • Output encoding for all responses
  • Error handling without information disclosure
  • Secure random number generation
  • Constant-time comparison for secrets

Code Review Requirements

  • Security-focused code reviews for all changes
  • Automated security scanning (SAST/DAST)
  • Dependency vulnerability scanning
  • Cryptographic implementation review

Operational Security

Key Management

  • Regular rotation of JWT signing keys
  • Secure storage of encryption keys
  • Hardware security modules for production
  • Key escrow for business continuity

Monitoring and Alerting

  • Real-time security event monitoring
  • Anomaly detection for user behavior
  • Performance monitoring for DoS detection
  • Compliance reporting automation

Backup and Recovery

  • Encrypted backups of sensitive data
  • Regular recovery testing
  • Geographic distribution of backups
  • Immutable audit log preservation

This security architecture provides comprehensive protection for the biometric authentication system while meeting Vietnamese enterprise compliance requirements and industry security best practices.