[jira] [Commented] (FINERACT-424) SELF-SERVICE: store 4 digit pin on back-end

Tue, 19 Mar 2019 19:09:44 -0700 


    [ 
https://issues.apache.org/jira/browse/FINERACT-424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16796693#comment-16796693
 ] 

Vishwas Babu A J commented on FINERACT-424:
-------------------------------------------

[~edcable] : For a self-service user, I would think that the authentication 
should always be two-factor (i.e "something they know" and "something they 
have"). While the "something they have" has to be stored locally, and the 
"something they know" should not.

For a mobile device
 * The "something they have" could be a unique identifier associated with the 
Mobile device when it is first registered with the Fineract server. This would 
be unique to each Mobile device the user has and would be stored on the server 
side as well (Storing OAuth access and refresh tokens generated after login, as 
would be the case with Fineract 1.x should work equally well IMHO) 
 * The "something they know" could be the passcode which is stored only on the 
server.

Logging in would involve sending both these information to the server (even 
though the user enters only the passcode). I am not sure what is more common, 
having separate passcodes for each device or having a passcode for a user. 
Either way, as long as each device needs to be registered (and get it's own 
unique "something they have" ), I guess it shouldn't make much too different 
from a security perspective.

 

> SELF-SERVICE: store 4 digit pin on back-end
> -------------------------------------------
>
>                 Key: FINERACT-424
>                 URL: https://issues.apache.org/jira/browse/FINERACT-424
>             Project: Apache Fineract
>          Issue Type: New Feature
>            Reporter: Edward Cable
>            Assignee: Markus Geiss
>            Priority: Major
>              Labels: gsoc, p3
>
> First off, in order to make it easier for a user to log in and not have to 
> fully authenticate themselves each time they leave the self-service app, we 
> wanted to enable a 4 digit pin code that could be used to log in to the app 
> (once fully authenticated for a first time). This is pretty standard practice 
> in banking apps.
> We didn't want to store that locally since it wouldn't be secure on phones 
> that are rooted.
> With that constraint, we need to be able to store this pin on the back-end - 
> then it can also be shared across phones as well.
> See https://github.com/openMF/self-service-app/issues/115 and 
> https://github.com/openMF/self-service-app/issues/132



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to