Is Touch ID Safe ?

FIAKS Community Experts participated in the e-Panel discussions:

Mr Rishi Prakash Mantri, Senior Vice President (Digital Payment – Solutions & Design, YES Bank
Mr Shashank Kumar, Co-Founder at Razorpay
Mr Hemal Shah, Technical Product Manager, Mastercard
Mr Sony A, Head – Digital, South Indian Bank
Mr Vijay Shekhar Sharma, Founder One97 & Paytm
Mr Shubhrant Singh, Vice President, Yes Bank
Mr Sanjay Swamy, Managing Partner & Co-Founder, PRIME Venture Partners
Mr Srinivasu MN, Co-Founder, Bill Desk
Mr Vikas Pahwa, Vice President Transaction Banking, Citi
Mr Manoj Acharekar, Associate Director-Digital Banking, Standard Chartered Bank
Mr Ram Ramachandran, Chief Operating Officer – Spirituspay

Several other CEO/CXO Bankers & Fintech professional on FIAKS Forum

FIAKS community Question

Touch ID of iPhone used by leading MNC & Private banks to login into internet banking? How safe is it? Can Banks give written undertaking to its customers that their fingerprint is not stored anywhere and its never backed-up on any iCloud or anywhere else and can’t be used to match against other fingerprint databases?

FIAKS Community Discussions

A community member said the question here should have been how does the Touch ID work and is there a chance that the app collecting the Touch ID data can misuse it?

Kindly note in case of Touch ID, any app cannot collect the fingerprints as these never leaves the physical device. The user can store one or more fingerprint in the device which can be used later by the Apps for authentication purpose. While authentication the apps also authenticate device id and or app id along with the fingerprint match to make it more secure.

A community member said when mobile device store our fingerprint to authenticate credentials on banking application then why so much resistance on Aadhaar is being used for the same purpose? To which it was said it is more political than legal or anything else for that matter. The kind of “silent whispers” is getting more amplified as the day passes by post the Verdict.

One gets to wonder whether the “articulation or echoing of such confidence-building affirmations” existed before the verdict? If so then why the gravitas of the use-cases & security aspects were not amplified by the user Community? The Government was fighting it all alone. The “naysayers” were seen all around and were hitting Aadhaar “out of the park”. Be it the use cases or the “users” Did anyone do even a symbolic “candlelight march” in support of Aadhaar? I am afraid no.

Member said as an industry if we are to be able to work with the Regulators to come up with a framework that aids the fintech industry in leveraging Aadhaar. We need to get to a better understanding and articulation of the privacy debate & aspects related to the mandatory/non-mandatory use of Aadhaar. Touch IDs, bank services, office bio-metric based attendance systems etc are very different issues.

FIAKS community expert said these apps use native device’s touch feature, not take biometric in the cloud. So logically no biometric went beyond your own device’s secure module (chip). On Touch ID member said at the outset there is no prima facie case here for the Banks to confirm. Banks do not have privy to Mobile Devices or its systems. In fact, we live in a world where Banks think twice to confirm their systems about which they and only they have full access & privy!

When Aadhaar first came there was no clause that clarified “who owns the responsibility of authenticating the biometric? “. It was later this came about and post which Banks & other Institutions were “more forthcoming”. Banks can confirm if they own up the “authentication responsibility”. But to own up they should have access & be privy to the CIDR Which is not the case with UIDAI and so is the case with Mobiles. Isn’t Touch ID important for people who were raising privacy issue on Aadhar?

Member tried to explain that the fingerprint is captured once – during enrolment. That fingerprint data is stored at UIDAI’s server. Subsequently, when a company does KYC or authentication with the fingerprint, the image is captured on the sensor and encrypted with UIDAI’s public key on the device – and only the encrypted packet is sent to the UIDAI. The Telco or bank or whoever is requesting auth NEVER gets to see the data. Upon authentication, success or failure of the same is returned by UIDAI. Nobody else sees the Fingerprint since it can only be decrypted by UIDAI’s private key.

This is a very simplistic view of the world – and completely misses the point that Aadhaar brings to the table, which is verification of a Government issued ID that is valid in a court of law. TouchID has no legal locus stand and cannot be used by anyone for account opening – its only for transactions and typically is in addition to a password or a PIN that is verified once.

On the touch ID-based access to the financial app, how can the bank be sure if its the customer who is authenticating? It could be your spouse too. Isn’t it?

Member shared following details from Apple’s website – “Your fingerprint data is encrypted, stored on the device, and protected with a key available only to the Secure Enclave. Your fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. It can’t be accessed by the OS on your device or by any applications running on it. It’s never stored on Apple servers, it’s never backed up to iCloud or anywhere else, and it can’t be used to match against other fingerprint databases.”

5 things are key in security:

who are you? (id proof)
what do you have? (debit card details)
where are you? (geolocation)
what do you know? (PIN)
and last how do you behave? (behavior auth)

If you have means to capture these 5, though a guarantee cannot be given, a high assurance can be always be given. Responding to it member said it is an existing fingerprint on the device which gets registered. it is not finger specific which you used for touch login registration. If someone already allowing others to add fingerprint then there is no mechanism to identify user vis a vis if the fingerprint is added deleted later on then it should not work. I think this is an existing feature of the framework.

FIAKS Community expert shared the link on FIDO and said the below link provides answers to all. https://fidoalliance.org/how-fido-works/

FIDO is the World’s Largest Ecosystem for Standards-Based, Interoperable Authentication. The specifications and certifications from the FIDO Alliance enable an interoperable ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites. This ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.

What Makes FIDO Different?

The core ideas driving FIDO are (1) ease of use, (2) privacy and security, and (3) standardization. For implementing authentication beyond a password (and perhaps an OTP), companies have traditionally been faced with an entire stack of proprietary clients and protocols.FIDO changes this by standardizing the client and protocol layers. This ignites a thriving ecosystem of client authentication methods such as biometrics, PINs and second–factors that can be used with a variety of online services in an interoperable manner.