fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Myrle Krantz <my...@apache.org>
Subject Re: [Mifos-developer] REQUEST: Store 4-digit pin code on back-end for self-service login
Date Mon, 24 Apr 2017 07:59:38 GMT
Just a thought: Security doesn't seem like a very good argument here.
If it's input on the device in hand then it will at some point be
stored locally, even if it's only temporary.  By saving the pin on the
server you are creating a lot more places where it would be stored at
least temporarily and therefore a lot more "attach surface".  Of
course you can talk about hashing/salting/encrypting to reduce that
attach surface, but those are all things you can do locally too.

Local is the only place you absolutely cannot avoid having it in plain
text at some point (however brief) because it is being input there.

Greets,
Myrle

On Mon, Apr 24, 2017 at 8:54 AM, Ed Cable <edcable@mifos.org> wrote:
> Shiv,
>
> I agree that I wouldn't want log-in to be dependent on network
> connectivity. I too also don't believe that the pin needs to be shareable
> across devices as it's most typical that the 4 digit pin only works for the
> device that you're setting it up on.
>
> The reason why we were proposing storing the 4-digit pin on the server was
> because it was insecure if stored locally if a device was rooted and the
> pin could be accessed.
>
> Ishan - there is no way the 4-digit pin could be stored locally in a secure
> manner?
>
> Sander and others, based on what you've built into your self-service apps,
> can you add your thoughts to this thread?
>
> Thaks,
>
> Ed
>
> On Sun, Apr 16, 2017 at 10:02 PM, SHIV ARORA <shivamarora0902@gmail.com>
> wrote:
>
>> If we store the pin on server then the app will be dependent on network
>> connectivity.I think this passcode feature should work, irrelevant of the
>> access of internet or not.On further stages, we would give the app offline
>> access feature.So i think network dependency for this feature is not a good
>> option.
>>
>> On 14 Apr 2017 9:21 p.m., "Ed Cable" <edcable@mifos.org> wrote:
>>
>>> Hi Nazeer,
>>>
>>> Per our discussions, I wanted to send some further details on the dev
>>> list about the requirements and conversations the mobile developers working
>>> on the Android self-service app have been having.
>>>
>>> First off, in order to make it easier for a user to log in and not have
>>> to fully authenticate themselves each time they leave the self-service app,
>>> we wanted to enable a 4 digit pin code that could be used to log in to the
>>> app (once fully authenticated for a first time). This is pretty standard
>>> practice in banking apps.
>>>
>>> We didn't want to store that locally since it wouldn't be secure on
>>> phones that are rooted.
>>>
>>> With that constraint, we need to be able to store this pin on the
>>> back-end - then it can also be shared across phones as well.
>>>
>>> I'll let Rajan, Ishan, and Puneet and others chime in with more details
>>> about access token that gets generated, its validity etc.
>>>
>>> A couple of GSOC aspirants have already begun work on the creation and
>>> entry of the pin via the app on the phone but we need your assistance in
>>> storing it at the back-end.
>>>
>>> I've created a ticket at: https://issues.apache.org/
>>> jira/browse/FINERACT-424
>>>
>>> Discussion surrounding those tickets can be found at
>>> https://github.com/openMF/self-service-app/issues/115 and
>>> https://github.com/openMF/self-service-app/issues/132
>>>
>>> Ed
>>>
>>> --
>>> *Ed Cable*
>>> President/CEO, Mifos Initiative
>>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>>> <(484)%20477-8649>
>>>
>>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
>>> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> Mifos-developer mailing list
>>> mifos-developer@lists.sourceforge.net
>>> Unsubscribe or change settings at:
>>> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> Mifos-developer mailing list
>> mifos-developer@lists.sourceforge.net
>> Unsubscribe or change settings at:
>> https://lists.sourceforge.net/lists/listinfo/mifos-developer
>>
>
>
>
> --
> *Ed Cable*
> President/CEO, Mifos Initiative
> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>
> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>

Mime
View raw message