top | item 22443593

(no title)

mathijs | 6 years ago

I agree with this comment completely. Adding a biometric lock would turn it into 3FA.

Not sure if HN allows to plug your own apps, so please forgive: I made an app a while ago that aims to replace Google Authenticator for some of the reasons mentioned: it allows to back-up and transfer tokens without creating a large attack factor. Not having sync is a feature in this case as well. In fact, the app does not even have the internet permission enabled, so it utterly unable to phone home. Transferring backups does require a biometric lock.

It is also entirely free, so I'm only posting this out of pride of my own work: https://play.google.com/store/apps/details?id=com.pixplicity...

discuss

goalieca|6 years ago

Biometric data should be considered identity and not authentication data. They can never be revoked or rotated for one. And who knows how many people have it on file. Not every auth server gets their own « key »

mathijs|6 years ago

Makes sense. The principle of 2FA is to combine 'something you know' (a password) with 'something you own' (your phone). I guess the biometric lock is 'something you are' on top of that.

celticninja|6 years ago

Thanks for sharing I will take her back although should I trust a random app from hacker news with my passwords?