Does iphone Touch ID count as 2FA?

Question

Yes it does because

The customer has the physical iPhone
The customer 'is' the owner of the fingerprint

But no it doesn't because

1=>2 : If you steal the customer's iphone, the fingerprint is now something you can get.

The UK Financial Conduct Authority have, for instance, approved Starling Bank which is advertising precisely this mechanism. I'm sure they aren't the only bank. But access to a bank account would justify the cost of forging a fingerprint.

I can't see how this question is not about "managing information technology systems in a business environment". At least three major UK financial companies are doing this. — Chris F Carroll, Oct 11 '18 at 12:55
I also fail to see how this is about anything other than "managing information technology systems in a business environment". — Bandrami, Oct 12 '18 at 17:57

score 1 · Answer 1 · answered Oct 11 '18 at 12:22

1

The language around multi-factor authentication isn't really designed for objects that you have physical custody of and log in to directly. The security calculus of MFA usually assumes a system that anyone can attempt to log into at any time (and which services authentication requests for many users simultaneously). You might as well say that my laptop uses multi-factor authentication, since logging into it requires the laptop itself and knowledge of the password.

If your phone also has a passcode, that would be a better example. In that case, the print is something you are and the passcode is something you know. The fact that somebody can dust your phone for prints doesn't change the theory there, it just demonstrates the importance of token management.

answered Oct 11 '18 at 12:22

Bandrami

893
4
8

I don't know. "The System" that the user is logging into is the bank. That system will reject an attempt to log in (at least to that user's account) if it doesn't come from this physical device. To that extent, I think that's much better security than a web interface. My nagging doubt is over, whether the fingerprint can count as a second factor given the risk of it being recoverable from the device – Chris F Carroll Oct 13 '18 at 11:24
Could you quote a source for "The language around multi-factor authentication isn't really designed for ... " and "The security calculus of MFA usually assumes ...." ? – Chris F Carroll Oct 13 '18 at 11:30
I mean, "the language around MFA" is the source. Custody of the device you're logging into directly is already a single factor, and the password is a second. MFA was developed to bring remote logins to something closer to that level of security. The regulatory requirements for multifactor began with online banking in the mid-oughts, and the DFARS regs currently only require multi-factor for remote logins to systems and not console logins (because, again, custody/physical presence is already a factor) – Bandrami Oct 14 '18 at 20:33

Does iphone Touch ID count as 2FA?

1 Answers1