Pretty much. Yes.
-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: Which is the most hair-raising South African mountain pass you've driven?
Immigrating to the UK
- Thread starter AchmatK
- Start date
The Voice
Honorary Master
Interested to know how they’re fleecing people, then. They apparently aren’t even really interested in the devices.
Yeah me too. Because the odds of snatching a phone from someone and preventing it from locking and that person being on their banking app - must be super, super low. More chance of winning the lottery.
Tman*
Executive Member
- Joined
- Jul 18, 2012
- Messages
- 7,408
- Reaction score
- 8,843
Got a lekker friday deal:
6 Bottles of wine, plus 2 wine glasses & free delivery for £25. use 30OFF at checkout
6 Bottles of wine, plus 2 wine glasses & free delivery for £25. use 30OFF at checkout
IIRC, the problem is that if you register a new face for the iPhone unlock, that face also unlocks your banking app. I don't recall how they register a new face, but I suspect they need to also get your unlock code.
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,634
- Reaction score
- 41,152
Most of my apps that rely on biometrics will also invalidate the biometrics if the biometric db on the phone changes (ie, new fingerprint or face) and you'll have to log in manually again to re-enable
The Voice
Honorary Master
Which isn’t great if you use a PIN to unlock your phone instead of FaceID, and they’ve already seen you put it in.
Again, the chances of it happening to any of us is probably (hopefully?) extremely limited because we’re at least a bit savvy, but spare a thought for those people out there who still use the PIN 12345 to get into their phones.
Dave
Honorary Master
Same with mine.
That's a system thing on the phone. Apps have zero idea what biometrics are available (Eg, how many faces or if a new face was added)
Well, on iOS that is the case. Not sure about Android.
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,634
- Reaction score
- 41,152
Pretty sure it's trivial for the biometrics db to have a date stamp or something, and the app can keep track of that...?
I don't use phone authentication for any financial apps. I prefer to keep those apps locked separate from the device authentication by using unique PINS for each of these apps.
Pseudo 2 factor I suppose
From what I recall, biometric info is stored in an embedded security chip with restricted access. All an app can do is request validation dialog/popup via the OS, and then callbacks occur depending on the result of validation (eg: success, fail, no hardware, update required, etc). It's not the apps job to try determine if a biometric is valid or not, only to act on what the result callback is.
Nope.
The "biometrics DB" is the Secure Enclave: https://support.apple.com/en-za/guide/security/sec59b0b31ff/web
Not even iOS "knows" your biometrics. When your phone scans your biometrics, the info is sent straight to this chip - and it tells the OS "Yay or Nay"
OS and all Apps cannot read this chip.
Aside from that - 3rd party apps know even less about biometric data (As it should be). We (devs) only know a few things:
1. Does this device have biometrics?
2. Type? (TouchID or FaceId)
3. Is it on?
4. Did the user authenticate?
You don't get any more information that. Zero data on how many faces or finger prints and zero data on recent changes to the system.
If a user could not authenticate (Chip "invalidates" it - for whatever reason) we just get told "Biometrics not available" and the system will then prompt the user to enter a passcode.
Presenting the FaceID UI and all of that is 100% system controlled. When a user authenticates, we are just told "Yep, they authenticated" or "Failed" - thats it - no other info.
This is on iOS / Apple devices. Apple is serious about user privacy and data.
Again can't speak to Android.
Mr Smooth
Expert Member
With iOS18 you're now able to "Lock" any app behind biometrics as well. So even if someone stole your phone whilst it was unlocked and then opened your app - it will prompt for biometrics again. Even if that app does not support it.
They all work the same, even Windows devices with Hello. All hardware backed authentication chips to handle biometrics authentication. I actually believe Windows stores standard credentials in a TPU chip if it exists on the device.
Sinbad
Honorary Master
- Joined
- Jun 5, 2006
- Messages
- 88,634
- Reaction score
- 41,152
Android definitely has a mechanism for apps figuring out that the biometric dB has changed.
Detect biometric change in a App in Android Device
Wanted to know if there is a way to detect biometric change in Android without using the setInvalidatedByBiometricEnrollment https://developer.android.com/reference/android/security/keystore/
stackoverflow.com
A unique secret key is generated by an app that wishes to use device biometrics authentication. This key is used to initialize a cipher to be used by the app.Android definitely has a mechanism for apps figuring out that the biometric dB has changed.
Detect biometric change in a App in Android Device
Wanted to know if there is a way to detect biometric change in Android without using the setInvalidatedByBiometricEnrollment https://developer.android.com/reference/android/security/keystore/
A KeyPermanentlyInvalidatedException is thrown when a biometric is added/removed from the secure biometric store and an app with a "stale" secret key is used to request biometric authentication.
So the app only has KeyPermanentlyInvalidatedException to check for an act upon.