0

I'm currently working on an Android app in which I want to authenticate someone against an REST API. I want to do this as secure as is (cost-)effective/possible/userfriendly.

I've been looking around and found that 2FA (two factor authentication) seems the most viable solution (after initiating the sign up process I'll send a POST to the REST API to store device data and give the device a token that is generated from the device information and then send an SMS with a different token to the phone which the user then has to enter (likely TOTP)). SSL is used whilst communicating with the remote API.

My question to you is, is it worth the effort to look into biometrics? There are just so many possiblities to do this:

  • Voice
  • Gestures
  • Finger prints (seems very unsafe. Mythbusters 2006 episode)
  • A picture of the user (since a 'selfie' is a thing, but has to be monitored if no proper matching software is found).
  • and I'm probably forgetting a few more now...

Thanks for the help.

Orion
  • 101

1 Answers1

1

First, what you are initially describing is not two factor authentication. It is two instances of "what you have". The phone contains a token, so you have to have the phone with the token. The phone also receives SMS messages, so you have to have the phone. Not only is it two things you must have (TFA must be two different factors), but it is the same thing that they must have, rendering it completely useless to do both.

Second, biometrics is not likely practical. You would need a common client that would be available on all the devices and designing such an interface would be technically complicated (most likely requiring a third party software). Why not just use a password? That's something the user knows and would be another factor. If you have two factors, it is generally not considered worth it to bother with a third unless it is trivial to do so, and in this case, it is not.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • We do force the user to enter a PIN after install and use that to sign into the app. We do however give the user the option to turn the PIN off. We also send the user a letter containing information for the initial signing in for accessing sensative data. – Orion Jun 24 '14 at 14:40
  • 1
    I would also add, "if you have to ask if it is worth the effort, then for you it isn't". Biometrics is hard, with an unreliability factor. Unless you have a specific reason for engaging in biometrics, look elsewhere. – schroeder Jun 24 '14 at 16:24