Saturday, June 01, 2019

Risk of relying solely on fingerprint access

Someone said.

Fingerprints are 2FA: your fingerprint + your phone. Your fingerprint is stored on a chip onboard your phone and hence only works on your device. Apple, Google and Samsung do not have your fingerprint.

Therefore, in order to use your fingerprint to authenticate on the app, you need 1. something you are (biometrics) and 2. something you have (your handphone). That's the two factors in many banking apps- your phone and your fingerprint.

To elaborate, the 2 factors in "2FA" should comprise one item each from the 3 following categories: something you have (eg your phone or a token), something you know (eg a PIN or password) or something you are (eg fingerprint or iris scan).

The MAS Technology Risk Management Guidelines stipulate that financial institutions should provide 2FA for online financial systems, so I would have been surprised if your bank app did not have 2FA. I would add that while fingerprints aren't foolproof, authentication systems are always a compromise between security and convenience, and "fingerprint + handphone" 2FA is usually thought to strike an acceptable balance.

My reply
If the phone is misplaced and somebody gets hold of it, and is able to bypass the fingerprint authentication, e.g. make a fingerprint mould, he can open the SingPass Mobile app and the bank app. I prefer that in addition to the fingerprint, the user has to enter a 6 digit pin.

Comment - I have uninstalled the banking app and move to the web app using 2FA on my hard token.

No comments:

Blog Archive