Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I\'m currently working on an Android app in which I want to authenticate someone

ID: 661477 • Letter: I

Question

I'm currently working on an Android app in which I want to authenticate someone against an REST API. I want to do this as secure as is (cost-)effective/possible/userfriendly.

I've been looking around and found that 2FA (two factor authentication) seems the most viable solution (after initiating the sign up process I'll send a POST to the REST API to store device data and give the device a token that is generated from the device information and then send an SMS with a different token to the phone which the user then has to enter (likely TOTP)). SSL is used whilst communicating with the remote API.

My question to you is, is it worth the effort to look into biometrics? There are just so many possiblities to do this:

- Voice
- Gestures
- Finger prints (seems very unsafe. Mythbusters 2006 episode)
- A picture of the user (since a 'selfie' is a thing, but has to be monitored if no proper matching software is found).
- and I'm probably forgetting a few more now...

Thanks for the help.

Explanation / Answer

First, what you are initially describing is not two factor authentication. It is two instances of "what you have". The phone contains a token, so you have to have the phone with the token. The phone also receives SMS messages, so you have to have the phone. Not only is it two things you must have (TFA must be two different factors), but it is the same thing that they must have, rendering it completely useless to do both.

Second, biometrics is not likely practical. You would need a common client that would be available on all the devices and designing such an interface would be technically complicated (most likely requiring a third party software). Why not just use a password? That's something the user knows and would be another factor. If you have two factors, it is generally not considered worth it to bother with a third unless it is trivial to do so, and in this case, it is not.

Related Questions

I\'m currently building an authentication module and I\'ve got a question. I hav
Question #661248
I\'m currently dealing with multiple blowfish-encrypted files that share the sam
Question #647806
I\'m currently designing a flow cytometry experiment testing the effect of diffe
Question #263369
I\'m currently designing a somewhat large program that will involve the simulati
Question #644352
I\'m currently developing a payment system where users can use SEPA-debit to pay
Question #655948
I\'m currently developing a web application, that provides some \'service\' to t
Question #650547
I\'m currently doing a lab in Analytical Chemistry, \'Analysis of Vitamin C by I
Question #1821935
I\'m currently doing a lab in Analytical Chemistry, \'Analysis of Vitamin C by I
Question #1821942
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I\'m currently working on a synthetic biology project which involves working wit
Next
I\'m currently working on an application that requires me to add two ECDSA priva

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.