You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@fineract.apache.org by Ed Cable <ed...@mifos.org> on 2017/04/14 15:48:28 UTC
REQUEST: Store 4-digit pin code on back-end for self-service login
Hi Nazeer,
Per our discussions, I wanted to send some further details on the dev list
about the requirements and conversations the mobile developers working on
the Android self-service app have been having.
First off, in order to make it easier for a user to log in and not have to
fully authenticate themselves each time they leave the self-service app, we
wanted to enable a 4 digit pin code that could be used to log in to the app
(once fully authenticated for a first time). This is pretty standard
practice in banking apps.
We didn't want to store that locally since it wouldn't be secure on phones
that are rooted.
With that constraint, we need to be able to store this pin on the back-end
- then it can also be shared across phones as well.
I'll let Rajan, Ishan, and Puneet and others chime in with more details
about access token that gets generated, its validity etc.
A couple of GSOC aspirants have already begun work on the creation and
entry of the pin via the app on the phone but we need your assistance in
storing it at the back-end.
I've created a ticket at: https://issues.apache.org/jira/browse/FINERACT-424
Discussion surrounding those tickets can be found at
https://github.com/openMF/self-service-app/issues/115 and
https://github.com/openMF/self-service-app/issues/132
Ed
--
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos> <http://www.twitter.com/mifos>
RE: REQUEST: Store 4-digit pin code on back-end for self-service login
Posted by Shaik Nazeer <na...@confluxtechnologies.com>.
Hi Ed,
I will add that support. How SSU app authenticate the login with only PIN?
Regards,
Nazeer
-----Original Message-----
From: Ed Cable [mailto:edcable@mifos.org]
Sent: 14 April 2017 21:18
To: dev (dev@fineract.incubator.apache.org); Mifos software development
Subject: REQUEST: Store 4-digit pin code on back-end for self-service login
Hi Nazeer,
Per our discussions, I wanted to send some further details on the dev list about the requirements and conversations the mobile developers working on the Android self-service app have been having.
First off, in order to make it easier for a user to log in and not have to fully authenticate themselves each time they leave the self-service app, we wanted to enable a 4 digit pin code that could be used to log in to the app (once fully authenticated for a first time). This is pretty standard practice in banking apps.
We didn't want to store that locally since it wouldn't be secure on phones that are rooted.
With that constraint, we need to be able to store this pin on the back-end
- then it can also be shared across phones as well.
I'll let Rajan, Ishan, and Puneet and others chime in with more details about access token that gets generated, its validity etc.
A couple of GSOC aspirants have already begun work on the creation and entry of the pin via the app on the phone but we need your assistance in storing it at the back-end.
I've created a ticket at: https://issues.apache.org/jira/browse/FINERACT-424
Discussion surrounding those tickets can be found at
https://github.com/openMF/self-service-app/issues/115 and
https://github.com/openMF/self-service-app/issues/132
Ed
--
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
*Collectively Creating a World of 3 Billion Maries | *http://mifos.org <http://facebook.com/mifos> <http://www.twitter.com/mifos>
Re: [Mifos-developer] REQUEST: Store 4-digit pin code on back-end for
self-service login
Posted by Myrle Krantz <my...@apache.org>.
Just a thought: Security doesn't seem like a very good argument here.
If it's input on the device in hand then it will at some point be
stored locally, even if it's only temporary. By saving the pin on the
server you are creating a lot more places where it would be stored at
least temporarily and therefore a lot more "attach surface". Of
course you can talk about hashing/salting/encrypting to reduce that
attach surface, but those are all things you can do locally too.
Local is the only place you absolutely cannot avoid having it in plain
text at some point (however brief) because it is being input there.
Greets,
Myrle
On Mon, Apr 24, 2017 at 8:54 AM, Ed Cable <ed...@mifos.org> wrote:
> Shiv,
>
> I agree that I wouldn't want log-in to be dependent on network
> connectivity. I too also don't believe that the pin needs to be shareable
> across devices as it's most typical that the 4 digit pin only works for the
> device that you're setting it up on.
>
> The reason why we were proposing storing the 4-digit pin on the server was
> because it was insecure if stored locally if a device was rooted and the
> pin could be accessed.
>
> Ishan - there is no way the 4-digit pin could be stored locally in a secure
> manner?
>
> Sander and others, based on what you've built into your self-service apps,
> can you add your thoughts to this thread?
>
> Thaks,
>
> Ed
>
> On Sun, Apr 16, 2017 at 10:02 PM, SHIV ARORA <sh...@gmail.com>
> wrote:
>
>> If we store the pin on server then the app will be dependent on network
>> connectivity.I think this passcode feature should work, irrelevant of the
>> access of internet or not.On further stages, we would give the app offline
>> access feature.So i think network dependency for this feature is not a good
>> option.
>>
>> On 14 Apr 2017 9:21 p.m., "Ed Cable" <ed...@mifos.org> wrote:
>>
>>> Hi Nazeer,
>>>
>>> Per our discussions, I wanted to send some further details on the dev
>>> list about the requirements and conversations the mobile developers working
>>> on the Android self-service app have been having.
>>>
>>> First off, in order to make it easier for a user to log in and not have
>>> to fully authenticate themselves each time they leave the self-service app,
>>> we wanted to enable a 4 digit pin code that could be used to log in to the
>>> app (once fully authenticated for a first time). This is pretty standard
>>> practice in banking apps.
>>>
>>> We didn't want to store that locally since it wouldn't be secure on
>>> phones that are rooted.
>>>
>>> With that constraint, we need to be able to store this pin on the
>>> back-end - then it can also be shared across phones as well.
>>>
>>> I'll let Rajan, Ishan, and Puneet and others chime in with more details
>>> about access token that gets generated, its validity etc.
>>>
>>> A couple of GSOC aspirants have already begun work on the creation and
>>> entry of the pin via the app on the phone but we need your assistance in
>>> storing it at the back-end.
>>>
>>> I've created a ticket at: https://issues.apache.org/
>>> jira/browse/FINERACT-424
>>>
>>> Discussion surrounding those tickets can be found at
>>> https://github.com/openMF/self-service-app/issues/115 and
>>> https://github.com/openMF/self-service-app/issues/132
>>>
>>> Ed
>>>
>>> --
>>> *Ed Cable*
>>> President/CEO, Mifos Initiative
>>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>>> <(484)%20477-8649>
>>>
>>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
>>> <http://facebook.com/mifos> <http://www.twitter.com/mifos>
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> Mifos-developer mailing list
>>> mifos-developer@lists.sourceforge.net
>>> Unsubscribe or change settings at:
>>> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> Mifos-developer mailing list
>> mifos-developer@lists.sourceforge.net
>> Unsubscribe or change settings at:
>> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>>
>
>
>
> --
> *Ed Cable*
> President/CEO, Mifos Initiative
> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>
> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> <http://facebook.com/mifos> <http://www.twitter.com/mifos>
Re: [Mifos-developer] REQUEST: Store 4-digit pin code on back-end for
self-service login
Posted by Ed Cable <ed...@mifos.org>.
Shiv,
I agree that I wouldn't want log-in to be dependent on network
connectivity. I too also don't believe that the pin needs to be shareable
across devices as it's most typical that the 4 digit pin only works for the
device that you're setting it up on.
The reason why we were proposing storing the 4-digit pin on the server was
because it was insecure if stored locally if a device was rooted and the
pin could be accessed.
Ishan - there is no way the 4-digit pin could be stored locally in a secure
manner?
Sander and others, based on what you've built into your self-service apps,
can you add your thoughts to this thread?
Thaks,
Ed
On Sun, Apr 16, 2017 at 10:02 PM, SHIV ARORA <sh...@gmail.com>
wrote:
> If we store the pin on server then the app will be dependent on network
> connectivity.I think this passcode feature should work, irrelevant of the
> access of internet or not.On further stages, we would give the app offline
> access feature.So i think network dependency for this feature is not a good
> option.
>
> On 14 Apr 2017 9:21 p.m., "Ed Cable" <ed...@mifos.org> wrote:
>
>> Hi Nazeer,
>>
>> Per our discussions, I wanted to send some further details on the dev
>> list about the requirements and conversations the mobile developers working
>> on the Android self-service app have been having.
>>
>> First off, in order to make it easier for a user to log in and not have
>> to fully authenticate themselves each time they leave the self-service app,
>> we wanted to enable a 4 digit pin code that could be used to log in to the
>> app (once fully authenticated for a first time). This is pretty standard
>> practice in banking apps.
>>
>> We didn't want to store that locally since it wouldn't be secure on
>> phones that are rooted.
>>
>> With that constraint, we need to be able to store this pin on the
>> back-end - then it can also be shared across phones as well.
>>
>> I'll let Rajan, Ishan, and Puneet and others chime in with more details
>> about access token that gets generated, its validity etc.
>>
>> A couple of GSOC aspirants have already begun work on the creation and
>> entry of the pin via the app on the phone but we need your assistance in
>> storing it at the back-end.
>>
>> I've created a ticket at: https://issues.apache.org/
>> jira/browse/FINERACT-424
>>
>> Discussion surrounding those tickets can be found at
>> https://github.com/openMF/self-service-app/issues/115 and
>> https://github.com/openMF/self-service-app/issues/132
>>
>> Ed
>>
>> --
>> *Ed Cable*
>> President/CEO, Mifos Initiative
>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>> <(484)%20477-8649>
>>
>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
>> <http://facebook.com/mifos> <http://www.twitter.com/mifos>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> Mifos-developer mailing list
>> mifos-developer@lists.sourceforge.net
>> Unsubscribe or change settings at:
>> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> Mifos-developer mailing list
> mifos-developer@lists.sourceforge.net
> Unsubscribe or change settings at:
> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>
--
*Ed Cable*
President/CEO, Mifos Initiative
edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
*Collectively Creating a World of 3 Billion Maries | *http://mifos.org
<http://facebook.com/mifos> <http://www.twitter.com/mifos>
Re: [Mifos-developer] REQUEST: Store 4-digit pin code on back-end
for self-service login
Posted by se...@singo.co.tz.
The question will be ... if it has to work completely offline... how
would it serve by giving... accurate account balance etc...
On another note;
I have an a certain International bank app... whereby it allows PIN
"OR" Fingerprint authentication.... so the trick is just to be able to
read what the finger-authentication has thrown, is it ok or no... at
least the test was on iOS device! But I believe on Android it should be
okay too..
But you have to register to allow that authentication method on your
device before using it... meaning a user who hasn't registered it won't
allow...
Regards
Sendoro
On 2017-04-17 05:02, SHIV ARORA wrote:
> If we store the pin on server then the app will be dependent on
> network connectivity.I think this passcode feature should work,
> irrelevant of the access of internet or not.On further stages, we
> would give the app offline access feature.So i think network
> dependency for this feature is not a good option.
>
> On 14 Apr 2017 9:21 p.m., "Ed Cable" <ed...@mifos.org> wrote:
>
>> Hi Nazeer,
>>
>> Per our discussions, I wanted to send some further details on the
>> dev list about the requirements and conversations the mobile
>> developers working on the Android self-service app have been having.
>>
>> First off, in order to make it easier for a user to log in and not
>> have to fully authenticate themselves each time they leave the
>> self-service app, we wanted to enable a 4 digit pin code that could
>> be used to log in to the app (once fully authenticated for a first
>> time). This is pretty standard practice in banking apps.
>>
>> We didn't want to store that locally since it wouldn't be secure on
>> phones that are rooted.
>>
>> With that constraint, we need to be able to store this pin on the
>> back-end - then it can also be shared across phones as well.
>>
>> I'll let Rajan, Ishan, and Puneet and others chime in with more
>> details about access token that gets generated, its validity etc.
>>
>> A couple of GSOC aspirants have already begun work on the creation
>> and entry of the pin via the app on the phone but we need your
>> assistance in storing it at the back-end.
>>
>> I've created a ticket at:
>> https://issues.apache.org/jira/browse/FINERACT-424 [1]
>>
>> Discussion surrounding those tickets can be found at
>> https://github.com/openMF/self-service-app/issues/115 [2] and
>> https://github.com/openMF/self-service-app/issues/132 [3]
>>
>> Ed
>>
>> --
>>
>> ED CABLE
>> President/CEO, Mifos Initiative
>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>>
>> COLLECTIVELY CREATING A WORLD OF 3 BILLION MARIES | http://mifos.org
>> [4] _ [5] _ [6]
>>
>>
> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot [7]
>> Mifos-developer mailing list
>> mifos-developer@lists.sourceforge.net
>> Unsubscribe or change settings at:
>> https://lists.sourceforge.net/lists/listinfo/mifos-developer [8]
>
>
> Links:
> ------
> [1] https://issues.apache.org/jira/browse/FINERACT-424
> [2] https://github.com/openMF/self-service-app/issues/115
> [3] https://github.com/openMF/self-service-app/issues/132
> [4] http://mifos.org
> [5] http://facebook.com/mifos
> [6] http://www.twitter.com/mifos
> [7] http://sdm.link/slashdot
> [8] https://lists.sourceforge.net/lists/listinfo/mifos-developer
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
> Mifos-developer mailing list
> mifos-developer@lists.sourceforge.net
> Unsubscribe or change settings at:
> https://lists.sourceforge.net/lists/listinfo/mifos-developer