A client recently added fingerprint authentication as an alternative form of signing in to their application which stores sensitive data.
Of course, the username and password are verified before allowing fingerprint authentication.
But this and other applications I've tested have had one major flaw which no one seems to talk about. All enrolled fingerprints on the phone are also allowed to have access to user accounts on the application. This means if I add my wife's fingerprint on my phone for some reason or the other, and I allow unlocking my banking application via my fingerprint, My wife is able to sign in freely to my banking application and perform operations on my behalf!
My question is, is there a way to bolster this feature for applications built to run on Android? Can developers integrate selecting what fingerprint (out of the multiple stored on the phone) is actually allowed access to user accounts?
No. The purpose of in-app biometric authentication is to verify that you own the device, not to identify the user because it is assumed that if there are more than one owners, each one of them will have their separate user account created by android Multiple users feature. Multiple users have their own personal space for custom home screens, accounts, apps, settings and more. If the device is enrolled with multiple biometrics under the same account, the device will assume the ownership whoever successfully authenticates with its biometrics.
Related
In the software I'm writing, you login to your account for a piece of desktop software, and then many users use the software at a business location (It's not associated with a single user). To allow the desktop software to make requests that aren't directly associated with a single user account, I'm generating a new user behind the scenes for every desktop software link.
I create a user through the Admin SDK that just has a user id (no name, or email, or phone number etc), and give it a custom claim that allows me to differentiate it from the rest of the real user accounts. If the install is unlinked, I delete the user from Firebase.
Is this an acceptable way of using Firebase Auth users? The main thing I'm concerned about is the refresh token expiring or something like that.
I am trying out a sample hyperledger fabric app. I am thinking to develop a web app that can communicate with fabric chaincode and execute chaincode functions. But inorder to uniquely identify a user, the certificate is required. How can I achieve a user login mechanism in my web app (for example with username, password) such that it will identify the user who logged in and is calling the function.
Hello #Mohamed Noushad
It is very simple
As we know once we register a user and enroll we will get a private key and a certificate to us. It will be difficult to manage the keys by the users
So, traditional users are more comfortable with usernames and passwords rather thank keys. So, Create a database on top of user keys. username, user
user is for fabric and username is for your database. Or you can use the username for both
You handle the keys and the user needs to authenticate to prove that the set of keys belongs to him. Once the user authenticates with creds in the database using a normal username and password then you allow him to interact with fabric with the key enabled by you on behalf of the user.
Certificates can be stored in three different ways
local kvs (file system)
couch dB kvs
Hardware wallets (HSM)
This is just one suggestion. We can do (n) No of ways. just think!!
I was to keep user logged in (user shouldn't enter username/password every time he uses the app) like in Facebook & Twitter.
I've gone through question & the only way I found is to save username & password then perform login every time the user opens the app
Does Worklight/MobileFirst have a way to keep user logged in?
There are other Worklight/MobileFirst features that you may be interested in looking into...
Device SSO
http://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSHS8R_6.3.0/com.ibm.worklight.dev.doc/devref/c_device_single_sign_on.html
Single sign-on (SSO) enables users to access multiple resources (that is, applications and adapter procedures) by authenticating only once.
SSO session lasts as long as the session timeout period configured (default 10 minutes).
User certificate authentication
http://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSHS8R_6.3.0/com.ibm.worklight.monitor.doc/monitor/c_user_CA.html
Very first time you're asked to authenticate using your authentication realm of choice. At this time your device is enrolled and an x509 certificate is saved on your device.
Every request after that uses an x509 certificate stored on device... so authentication is seamless to the user.
You're asked to reauthenticate only after x509 certificate expires, or is revoked.
Requires a PKI (to manage certificates). An embedded PKI is provided only for dev/test purposes.
Certificate can be associated with a single app or a family of applications (signed by same identity and belonging to the same group).
JSONStore
http://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSHS8R_6.3.0/com.ibm.worklight.dev.doc/devref/c_jsonstore.html
JSONStore is a lightweight, document-oriented storage system that is included as a feature of IBM® MobileFirst Platform Foundation, and enables persistent storage of JSON documents.,
You can store encrypted passwords, but you would need to save some sort of PIN as the password for the store in order to save the password correctly.
Simple Data Sharing
http://www-01.ibm.com/support/knowledgecenter/?lang=en#!/SSHS8R_6.3.0/com.ibm.worklight.dev.doc/devref/c_simple_data_sharing.html
You can store simple data like user id/passwords using simple data sharing. The data persists after the app is shut down. You can even share this with other applications in the same family (signed by same identity and belonging to the same group.
Sounds like you're looking for a "remember me"-like functionality.
IBM Worklight does not provide this ability built-in. You need to implement it.
You can review past questions about this, like this one: How to achieve "Remember Me" functionality for both local and remote login pages?
I would like to allow my users to choose from all the available authentication options that Azure Mobile Services provides when signing in but I'm not sure how to link their accounts together if say they choose to authenticate with Facebook the first time and then the next time they run the application they choose a different service.
You have to use a username that upon inserting to your table, you go through as to see if a username of this exists and then link it. Of course this could be a problem if another person wants to login with the same username.
The smartest thing is to retrive some information from the users account so you have some values you can see that are the same. And then you can link them inside.
You could look at this
Windows Azure Multi-Factor Authentication: http://www.windowsazure.com/en-us/documentation/services/multi-factor-authentication/
I am developing a web app that will be working with other companies web apps. Part of the desired user experience is that users on our web application will be able to log into our app, and be able to visit our parters' web applications. Accounts will be automatically created for the users on our partners' sites. We'd like them to be able to enter the partner sites already authenticated, without having to log in or authorize anything (like with OpenID or OAuth), similar to the relationship between a bank and a credit card rewards program. Is there an existing standard that covers this?
Single Sign On often used for such functionality.
There are a lot of implementations.
I used in production Jasig CAS