Extra step to view PIN on iOS


(Mark Stickley) #1

Hi folks, just got my current account card and so was poking around in the app. Great that I can see my PIN and even enable viewing it with Touch Id. Tap, Touch Id, view.

But when Touch Id is actually Face Id and you don’t have to actually perform a conscious action to unlock it, it’s possible to accidentally touch the PIN button and then immediately have your PIN on display for all to see!

Perhaps an extra step would help make it a little more secure - E.g. after Touch / Face Id verification you the PIN is only visible when pressing down on a button and hides again when you lift your thumb?

Thanks!


(Colin Robinson) #2

Or they make it work the same way as purchases from the app store? Double click the side button (for consistency).


(Mark Stickley) #3

Yep. Anything to make it harder to show accidentally. I have no idea if as a developer you have access to the side button in the same way Apple does, or if Apple would like the re-appropriation of that particular action - maybe something for the team to investigate :slight_smile:

Importantly though, using a mechanism like holding down an on-screen button to view would work on all iPhones and so there would be no iPhone X specific code required.


(Jon) #4

Would this be the same when sending payments as well where the Face ID would automatically verify and send the payment without any actual user interaction?


(Mark Stickley) #5

With sending payments there is at least some setup first, you have to choose a recipient and an amount. It’s not a single (potentially erroneous) tap, so I don’t think the risk of accidental verification would be as high - you have already indicated intent.


(Harry) #6

I have the iPhone X and you don’t have the final step to verify the details like you do with Touch ID as Face ID verifies as soon as you press next.

Yes, it’s quick but I do think there needs to be something implemented such as a double click of the side button like you do for App Store or Apple Pay purchases (as someone mentioned earlier).


(Rika Raybould) #7

I took a look into this earlier but it doesn’t look like the double side button click method is possible for 3rd party applications at this time. :disappointed:

In general, this gets back to the long running debate between security/privacy and convenience. We can certainly take another look at this given the differences between Face ID and Touch ID. :+1:


#8

Personally When I am in a banking app I want as little friction as possible and not to be asked for passwords or a code to carry out functions, recording a selfie or video to get your card PIN is overkill. Better to move such security to getting in to the app so there is less need for it when you are in it.


(Harry) #9

It would be good to have just an additional page so you can verify the sort code/account no/reference/amount all in one place before pressing next for Face ID to kick in!


(Allie) #10

But 99.9% of the time (at least, I doubt you’d even need your PIN one in a thousand app launches) you won’t need to do something as high-risk as getting your PIN. Most app launches, you just want low risk things (look at recent transactions). The phone itself, with a secure lock screen, is far more than secure enough to protect this task. Remember, the lock screen alone is all that protects Android Pay, a far higher risk item (not even the lock screen for purchases up to £30 in the UK market, as there’s a £30 CVM waiver for contactless and Android Pay recognises this and allows no CVM to be presented without unlocking)… and your email, which is incredibly high risk.

It makes sense to push people through clutzy additional authentication only when really needed, not for every app launch.