17Oca
Secure Passwordless MFA authentication on mobile app
I want to secure my mobile app with a passwordless MFA mechanism.
The registration/login flow would be:
- You register you account online with a username and a mobile phone (an OTP will be sent to verify the phone number).
- You login to the app for the first time by providing your username and the system will send an OTP to the registered mobile phone.
- After the first login, the app will create a private key on the device and ask the user to setup a biometric factor and a PIN fallback.
- On subsequent logins, the app will verify that you are in possession of the mobile (1st factor), and that you can unlock the private key with the biometric or PIN (2nd factor)
Now, let’s say my mobile got stolen and the thief knows my device PIN (1st factor is compromised). The 2nd biometric factor will fail. Then comes the fallback.
- If the fallback is the native device PIN, the thief who knows my device PIN can log in to the app.
- If the PIN fallback is user-defined, where to store it? Remotely on my server and it becomes a password. If stored locally, can I securely store it on iOS/Android and unlock the private key with it?
Also, how can I secure first time logins in case of theft?
If the thief takes my SIM and introduce it in another phone. He can enter my username and send an SMS OTP on the registered device (that he got access to)
I’ve seen apps which login flow ask for the phone number as username and send an SMS OTP to that phone number. How is it secure? If a thief get access to the phone or SIM, the login process is not secure.
