Should password reset disable biometric sign in until the user signs in with username and password again?

Question

Background: My team's mobile apps have biometric sign in (Touch ID, Face ID, fingerprint). You can enable and disable biometric sign in when you are signed in. You always have the option to sign in with username and password (and have to in many scenarios, if for instance your fingerprints on the device were updated).

The question is, say a user that has biometric sign in enabled goes through a password reset. There are two paths I can see:

A) Keep allowing them to sign in with biometric (Touch ID, Face ID, fingerprint). Password reset is unrelated to biometric sign in. B) Don't allow them to sign in with biometric until they have successfully signed in with the reset password.

I'm in camp B but I can't say why exactly beyond it feels more secure. Is there any best practice here?

If this question has already been answered somewhere, or this is not the right community, please point me to the right place :)

Thanks

Edit: I've noticed a few apps fall into camp A so I'm leaning that direction now. Still curious what others think though, or if I'm overthinking this ha.

Answer 1

Based on your description, biometric and username/password appear to be independent authentication factors (option A). That is, if either one of them can be used to sign in and one factor is enough, then you should keep them independent for the recovery/reset process. Resetting a factor (password or biometric) should not impact the other factor.

User perspective: I forgot my password but I still have my biometric so I am going to use it to sign in and use the app. Once I am signed in, I can hopefully change my password with fewer identity-proofing steps versus a reset.

Attacker perspective: it depends on the threat model. Given physical access to the device, recovering a biometric or using a synthesized biometric to authenticate is possible but is it worth it? The answer to this question would have to come from a risk assessment of your app and associated assets, including the identity of the user.

Operational perspective: are your users going to be contacting you/Operations/Helpdesk if they aren't able to sign in because you shut off their biometric when they forgot their password and attempt to reset it? That would be expensive for Operations (each "call" costs money) + encourage more social engineering attempts.

Brand / reputation: If you shut off their biometric and self-service password reset has challenges, that sounds worse than option A. Could they be leaving angry reviews in an app store or complaining to your management / client in a corporate environment? That would be expensive to your personal brand or your company or your client.

You didn't say how the password reset works but it's worth mentioning that using a biometric to reset the password is definitely a good idea. NIST 800-63b, section 6.1.2.3 (Replacement of Lost Authentication Factor):

Replacement of a lost (i.e., forgotten) memorized secret is problematic because it is very common. Additional “backup” memorized secrets do not mitigate this because they are just as likely to also have been forgotten. If a biometric is bound to the account, the biometric and associated physical authenticator SHOULD be used to establish a new memorized secret.

Answer 2

Passwords are something you know, biometrics are something you are, and using both is consider multi-factor authentication

have to [sign in with username and password] in many scenarios, if for instance your fingerprints on the device were updated

If you have a requirement that states the user need to utilize something you know (the weakest factor) to authenticate when they change something you are (the strongest factor), then why not have them use something you are to authenticate when they change something you know.

If you don't have the user utilize any other factors (somewhere you are, something you do, or something you have), option "B" means that reseting the password is a way to take advantage of only needing the weaker of the two factors.