Skip Navigation Links
01 Jun 2019  (539 Views) 
Out of the box

Risk of relying solely on fingerprint

Someone  said.

Fingerprints are 2FA: your fingerprint + your phone. Your fingerprint is stored on a chip onboard your phone and hence only works on your device. Apple, Google and Samsung do not have your fingerprint.

Therefore, in order to use your fingerprint to authenticate on the app, you need 1. something you are (biometrics) and 2. something you have (your handphone). That's the two factors in many banking apps- your phone and your fingerprint.

To elaborate, the 2 factors in "2FA" should comprise one item each from the 3 following categories: something you have (eg your phone or a token), something you know (eg a PIN or password) or something you are (eg fingerprint or iris scan).

The MAS Technology Risk Management Guidelines stipulate that financial institutions should provide 2FA for online financial systems, so I would have been surprised if your bank app did not have 2FA. I would add that while fingerprints aren't foolproof, authentication systems are always a compromise between security and convenience, and "fingerprint + handphone" 2FA is usually thought to strike an acceptable balance.

My reply
If the phone is misplaced and somebody gets hold of it, and is able to bypass the fingerprint authentication, e.g. make a fingerprint mould, he can open the SingPass Mobile app and the bank app. I prefer that in addition to the fingerprint, the user has to enter a 6 digit pin.

Comment - I have uninstalled the banking app and move to the web app, with 2FA using my hard token.

Tan Kin Lian

Vote - is it risky to rely solely on fingerprint for access to banking app?

Add Comment

Add a comment


QR Code