[Openid-specs-fapi] [Off-topic] Option to disable password authenticaiton among FIs?

[Joseph Heenan]

Hi Nat,

I’m not 100% sure it’s what your asking for, but Monzo in the UK is an interesting example:

https://monzo.com

I have a Monzo account, and as far as I know I’ve never had a password. They primarily rely on a mobile app and on-device biometrics, and whilst I can’t remember the exact details I believe enrolling an existing account into the app on a new device involves some biometrics (not device side biometrics like Apple’s faceid, but a server side check facial check including liveness etc) and some combination of email/sms magic links / tops.

As you say, generally in the EU password-only login is completely banned; the majority have kept passwords but added SMS or email OTPs, although if they have mobile apps they’re generally allowing device biometrics or pin plus a password or extra challenge when doing a higher risk operation, for example setting up a new payment recipient.

Thanks

Joseph



> On 9 Dec 2021, at 14:53, Nat Sakimura via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
> 
> Hi
> 
> This is off-topic for the WG but adjacent and since many of you are well acquainted with the markets, let me ask this. 
> 
> Is there an example of Banks and other Financial Institutions that allows users to disable the password authentication so that they wholly can depend on FIDO or other types of SCAs? 
> 
> Not disabling password authentication (i.e., authenticating only with a password) seems to be a security weakness. If you could give me examples of disabling password-only login (I am guessing that is actually banned in EU) in each jurisdiction, it is much appreciated. 
> 
> Best, 
> 
> -- 
> Nat Sakimura
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi