0

Yes it does because

  1. I 'have' the physical device
  2. I 'am' the owner of the fingerprint

But no it doesn't because

1=>2 : If you have my device the fingerprint is now something you can get.

Which makes me unwilling to install banking or payment apps on my phone. I'd want a separate physical dongle. Access to a bank account would justify the cost of forging a fingerprint.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Chris F Carroll
  • 131
  • 5
  • If you only log with a fingerprint, then that's only one factor *if you are logging into the device*. The authentication process cannot be considered a factor in MFA else all authentication processes are inherently MFA. – schroeder Oct 12 '18 at 14:58
  • @schroeder you have changed the question fundamentally. You are now asking "Does the iphone count as a factor when logging into the iphone". I am asking "Does the fingerprint still count as a factor when the iphone is itself a factor for logging into a banking system." – Chris F Carroll Oct 13 '18 at 11:42
  • Ok, that's one of the open questions and confusions I was talking about: "what are you logging into?" Are you logging into the banking app on the phone or are you logging into a banking system outside of the phone? – schroeder Oct 13 '18 at 12:11
  • Noted, I take your point. I'll think it through and then do a new question with better precision. – Chris F Carroll Oct 13 '18 at 12:13

1 Answers1

1

I would say no.

To quote StackOverflow:

Authentication is the process of ascertaining that somebody really is who he claims to be.

Only by posessing the phone I cannot be sure that you are who you claim to be.

Tobias
  • 143
  • 7
  • But that's where the fingerprint comes in. With the unique fingerprint you try to prove that you are who you claim to be. Sure the fingerprint can be captured from the smartphone itself but that's technically another point. – Nico Oct 12 '18 at 08:40
  • Yes, but the fingerprint is one factor. What is the second factor? In my eyes obtaining the phone isn't one. If you would combine the fingerprint with a password, this would be a second factor. – Tobias Oct 12 '18 at 08:54
  • That's true. I didn't think about it that way... Considering this, I would also say it's no 2FA. – Nico Oct 12 '18 at 09:24
  • The phone is a factor. It's a physical device. Loads of Auth providers offer "phone" as a physical factor alternative to an OTP dongle – Chris F Carroll Oct 12 '18 at 13:59
  • 1
    @ChrisFCarroll in your question, are you asking about logging into the phone? Or using the phone as a factor in another authentication process? – schroeder Oct 12 '18 at 14:11
  • @ChrisFCarroll yes, but here it is not the phone that is used as factor - it is a fingerprint that i swipe on this phone. The question is: is the combination of both factors unique? Can I use the fingerprint to login with another device? – Tobias Oct 15 '18 at 09:34