> an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.
and concludes with (emphasis mine):
> For the average user, the smartphone has become a single point of failure, where the theft of one device and one piece of knowledge (the passcode) can lead to total financial compromise.
Looks like 2FA to me, not 1FA.
alistairSH · 38m ago
For instance on an iPhone, you can register a new face for FaceID if you know the passcode.
I stopped here... at least on iPhone, this doesn't work. When a new face is scanned into FaceId, all apps using that FaceId are supposed to (forced to?) re-authenticate.
Shank · 23m ago
You’re basically correct that apps can use a special mode where they require Face ID to be re-enrolled if anything changes about the credential store. Technically speaking it’s opt-in, but most banking apps use this mode.
AshamedCaptain · 42m ago
On Android at least, even if you know a device's PIN and can add new fingerprints, doing so will cause all apps to reject all future fingerprint authentication attempts (and force you to go through a manual reenrolling process that will require another type of authentication, which depends on the bank).
It makes the conclusions of types 1 and 4 very different.
jpc0 · 41m ago
Shoulder surfing a passcode isn’t failure of two factor back down to a single factor.
This would be the same as shoulder surfing your card pin and then stealing or cloning your card. There were two factors, the attacker just has access to both.
They needed an authenticated app and the pin at that point which is two factors. Because both are related to your iPhone means nothing, both your card’s pin and your card are related to your card and both can be compromised by the exact same attack with the exact same consequences.
dguest · 40m ago
I've seen a lot of services (none banks so far) move over to requiring a One Time Password in addition to a password or private key as a way to get "2 factor authentication".
Problem is, people catch on that with some `expect` scripting and a few open source packages you can still just automate it to be 1 factor, just adding a bit more complexity to eventually leak the user's credentials.
deredede · 26m ago
If people need "`expect` scripting and a few open source packages [to] automate it to be 1 factor", it is effectively 2 factor for 99.9% of the population.
Also, if someone uses a password manager to store both the password and the OTP credential, that is still an improvement to security. Intercepting (e.g. shoulder surfing) or guessing the password is no longer enough, an attacker needs to get into the password manager's vault.
pxeger1 · 53m ago
This is not a compelling argument that 2FA is reduced to 1FA. You need either: something you have (phone) and something you are (face), OR something you have (phone) and something you know (passcode). In either case, there are still two factors. For a criminal to perform shoulder surfing and theft, more things must go right for them than to do either individually.
awhitby · 45m ago
This makes some good points. Slightly off its main topic, can iOS or an app treat Face ID and passcode auth differently, or are they completely unified?
For example, it would make a lot of sense to treat them differently for Apple Pay fraud detection, since passcode + device compromise seems a lot more likely in the real world than compelled Face ID.
> an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more distinct types of evidence (or factors) to an authentication mechanism.
and concludes with (emphasis mine):
> For the average user, the smartphone has become a single point of failure, where the theft of one device and one piece of knowledge (the passcode) can lead to total financial compromise.
Looks like 2FA to me, not 1FA.
I stopped here... at least on iPhone, this doesn't work. When a new face is scanned into FaceId, all apps using that FaceId are supposed to (forced to?) re-authenticate.
It makes the conclusions of types 1 and 4 very different.
This would be the same as shoulder surfing your card pin and then stealing or cloning your card. There were two factors, the attacker just has access to both.
They needed an authenticated app and the pin at that point which is two factors. Because both are related to your iPhone means nothing, both your card’s pin and your card are related to your card and both can be compromised by the exact same attack with the exact same consequences.
Problem is, people catch on that with some `expect` scripting and a few open source packages you can still just automate it to be 1 factor, just adding a bit more complexity to eventually leak the user's credentials.
Also, if someone uses a password manager to store both the password and the OTP credential, that is still an improvement to security. Intercepting (e.g. shoulder surfing) or guessing the password is no longer enough, an attacker needs to get into the password manager's vault.
For example, it would make a lot of sense to treat them differently for Apple Pay fraud detection, since passcode + device compromise seems a lot more likely in the real world than compelled Face ID.
Edit: there's a newish feature, Stolen Device Protection, that works along these lines - https://support.apple.com/en-us/120340