How 2FA with Biometrics improve security?
Where I work, this is the passwordless registration/login flow for our Mobile App
- A user registers with a username and a phone number. An SMS OTP is sent to the phone number to verify it.
- Initial login: The user logs in to the mobile app with its username. The app sends an OTP code to the registered mobile number.
- After login, the app prompts the user to enable a Biometric factor and a PIN as fallback for enhanced security
- Next time the user logs in, he has to be in possession of the phone number (first factor) and complete the Biometric challenge (second factor).
The process seems pretty standard. We have
- Initial login
- Username + Mobile OTP (something you have)
- Subsequent Logins
- Biometric/PIN (something you are or know) bound to something you have (the mobile device where the biometric/PIN is setup)
But how is the biometric bringing any security value beside being more "user friendly" than the PIN. If the biometric fails it falls back to the PIN. So the PIN is the real factor.
Now consider the following threat
Your phone get stolen. The first security factor is now compromised. The thief can access the mobile app in two ways:
Access the account from the stolen device
- If the phone is locked by a PIN, then the App is already protected by the device PIN
- In case of phone jacking, the PIN might be known to the thief, putting the app behind a biometric/PIN is useless.
Perform a first-time login from another device with your SIM card
- The thief can do a SIM Swap and first-time login on a new device by receiving the OTP on the SIM. In that case, the biometric/PIN is not a safeguard anymore.
A third solution would be to ask the user to input a user-defined PIN that is stored remotely on my backend. But then, it is not bound to the device anymore. It becomes a simple password.
So, how biometrics is supposed to improve security? What is the correct workflow used by banks?
