We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
The MSE Forum Team would like to wish you all a very Happy New Year. However, we know this time of year can be difficult for some. If you're struggling during the festive period, here's a list of organisations that might be able to help
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Has MSE helped you to save or reclaim money this year? Share your 2025 MoneySaving success stories!
MSE News: Bank customers promised access to all their accounts via one app
Comments
-
Biometric security - fingerprint, voice, face recognition
All of which are totally unsuited to be "security" if they're being used to replace passwords. User IDs, maybe, but not passwords.
Back to the original point of banks spending money on technology, I'd rather they be spending it on sorting out their current ancient back-ends to prevent recurrences of the Natwest and RBS fiascos when they had their DOSs.Conjugating the verb 'to be":
-o I am humble -o You are attention seeking -o She is Nadine Dorries0 -
I am already using fingerprint access on a couple of mobile banking apps, and I am not the only one.Paul_Herring wrote: »All of which are totally unsuited to be "security" if they're being used to replace passwords. User IDs, maybe, but not passwords.0 -
Doshwaster wrote: »I'd like to see moving accounts made easier but I'm not sure what can be done. If sort codes were portable then you would need a central authority which tracked them and identified which bank they belonged to.
I can't see sort codes being portable any time soon. The first thing that came to mind is cheques which are routed to the account issuing bank via the sort code. I can't think of a practical way of doing it without the sort code.
The second thing would be the Iban which includes not only the sort code but the first four characters of the BIC and a check digit using both of these parts.0 -
I am already using fingerprint access on a couple of mobile banking apps,
So how do you change that password access when someone finds out what the current password is? What do you do when it comes to the 10th time you have to do it, move onto your toes?and I am not the only one.
I know it's new technology, and all nice and shiny, but it's not how they should be used.
Passwords should be:
1) Changeable. If the database gets hacked, your password is out there.
2) Known only to you (but see 5) and the system you're authenticating against. Someone should not be able to casually observe your password.
3) Anonymous. They should not be a single factor traceable to you
4) Different on every system you use it on. If one system gets hacked (see 1) you don't want to have to change your password everywhere else (see LinkedIn)
5) Conceivably transferable to/shared with someone else (you need to allow someone else access, you die and your next of kin can get access.)
6) Until deliberately changed (see 1,) immutable.
How many of those does a fingerprint satisfy?
To reiterate, I have no objections to the use of biometrics in general, just not for the sole purpose of authentication as in a replacement for passwords.Conjugating the verb 'to be":
-o I am humble -o You are attention seeking -o She is Nadine Dorries0 -
Perhaps you should be offering your consultancy to First Direct, HSBC, Atom Bank and others, who obviously got it totally wrong when they decided to implement biometric logins.0
-
No surprise to see banks persisting with the current account switching service approach that customers have comprehensively rejected. Maybe eventually we'll get a more useful approach instead, like easier moving of direct debits, standing orders and payments between accounts at the direction of consumers.
The problem is not the switching service but the banks which operate it and the sometimes extreme delays in opening accounts. In my own personal experience after being with National Girobank / Girobank plc / Alliance & Leicester / Santander for donkeys years I set the ball rolling with a switch to smile. That switch completed but all my direct debits duplicated so I had two instances of every direct debit. Exactly the same happened with TSB. Lloyds Bank sorted out everything except the PIN number to go with the debit card. By the time I received the PIN I had already moved to Natwest. By far the worst was Tesco Bank which took nearly 4 weeks to get a simple savings account up and running. That caused me to shelve my plans to open a Tesco Bank current account.
If Natwest can get a current account up and running in 3 working days and John Lewis Financial Services can do everything next working day all banks should be able to do it.
The fact is that the framework of switches is in place but the banks fail in exactly the same way that they failed with the original basic bank accounts. This new initiative to have all accounts accessed by a single app will similarly fail. What the initiative shows is a government which is out of touch not only with the banks but also bank customers!
I for one will definitely not be giving all my banking details to one, single organisation and if I have to do that I'll keep my money under my mattress.0 -
Your password does not need to be your fingerprint or iris. Your password can still be a password of sorts. The biometric system is used to unlock a password vault that is stored locally and possibly backed up in a pre-encrypted form. It would be quite wrong for websites to use raw bio-metric information as an ersatz password, and I have no idea if any are doing that.Paul_Herring wrote: »So how do you change that password access when someone finds out what the current password is? What do you do when it comes to the 10th time you have to do it, move onto your toes?
Ideally, your "password" would be a public/private keypair and would not be known to any website you use it with to log in. All they will see/store is an identity token derived from your public key and authentication will involve cryptographic signing of a !!!!!! with your private key (which is stored on a device and protected biometrically).0 -
Perhaps you should be offering your consultancy to First Direct, HSBC, Atom Bank and others, who obviously got it totally wrong when they decided to implement biometric logins.
Why? They're going to pay just as much attention to it (and the various articles that repeat the exact same points) as some of their customers they're pushing this stuff onto who seem to accept their assertions that it's perfectly secure, when it's nothing of the kind.Your password does not need to be your fingerprint or iris.
Yet.Your password can still be a password of sorts.
At the moment.The biometric system is used to unlock a password vault that is stored locally and possibly backed up in a pre-encrypted form. It would be quite wrong for websites to use raw bio-metric information as an ersatz password, and I have no idea if any are doing that.
You credit the banks with far too much intelligence in this area.
These are the institutions that fall over because of outdated systems (Natwest, RBS,) that foist unacceptable products onto their customers (PPI, interest rate swaps,) that force liability back onto customers when they lose their money (chip-PIN.)
This will be another scandal in the making when they turn around and say to people defrauded through this that "no-one could forge your fingerprint on your device - you're liable for any transactions made using it."Ideally, your "password" would be a public/private keypair and would not be known to any website you use it with to log in.
Well the public bit would
I use that sort of authentication all the time at work.
And while I'd welcome such innovation, I won't be holding my breath for any of the banks to implement this sort of security.private key (which is stored on a device and protected biometrically).
No - we're going round in circles with that last bit. If you can't change it, it's not a password - it's a user id.Conjugating the verb 'to be":
-o I am humble -o You are attention seeking -o She is Nadine Dorries0 -
Unfortunately what would happen is that a hacked system that compromises the private key will then be used for fraud and the bank will insist that you must have authorised the transaction because the private key had to have been used. If the key itself isn't compromised a man in browser attack maybe sufficient because the key itself isn't implicitly linked to any specific transaction properties that would prevent it from being reused for a different transaction. Though a derived token might be. Which may not help because the algorithm to go from site provided information through private key to generate a token is presumably known and hence forged tokens are possible from a compromised key.Ideally, your "password" would be a public/private keypair and would not be known to any website you use it with to log in. All they will see/store is an identity token derived from your public key and authentication will involve cryptographic signing of a !!!!!! with your private key (which is stored on a device and protected biometrically).
First Direct at least has form in this area, introducing a key card to use for logging in that could then be used to assert that all transactions in the session must have been authorised by you in spite of the known existence and use of man in browser attacks. The result was a system that transferred fraud risk from bank to customer. After some fuss and a year of delay they adjusted the system to also provide transaction-specific authorisation.0 -
You assert. I don't believe this will be permitted, although Brexit is a concern here - the EU was much better about championing our privacy rights than any UK Govenment.Paul_Herring wrote: »Yet.
At the moment.
No, I don't. Banks don't have a very good track record in this area. They certainly shouldn't be the architects of such systems.You credit the banks with far too much intelligence in this area.
The bank should not be party to the unlocking of the keypair. The bank could claim, "the person making the transaction provided the correct response to our challenge, therefore you have been negligent with your device", but that is no worse than what exists currently and the bank should be providing an extra level of security for transactions to new payees.This will be another scandal in the making when they turn around and say to people defrauded through this that "no-one could forge your fingerprint on your device - you're liable for any transactions made using it."
I agree, but I am pointing out that such systems are available.And while I'd welcome such innovation, I won't be holding my breath for any of the banks to implement this sort of security.
If you need the device and your biometric and you can revoke or wipe the keys stored on the device, then you can change it.No - we're going round in circles with that last bit. If you can't change it, it's not a password - it's a user id.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353K Banking & Borrowing
- 253.9K Reduce Debt & Boost Income
- 454.8K Spending & Discounts
- 246.1K Work, Benefits & Business
- 602.2K Mortgages, Homes & Bills
- 177.8K Life & Family
- 260K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards