Changes to Touch ID/Fingerprint to Login


#1

There are a few discussion threads about Touch ID and Fingerprint and how you use this to log in, and also the suggestion that you might use Touch ID for actions within the app. We wanted to achieve a model where as a customer if you have just unlocked your phone, when you tap the Starling app logo, we don’t need to ask again for you to authenticate as you just did.

We realise however that this has created some inconsistencies, for example you haven’t known how to enable it, and so we want to simplify the experience for you.

What we are thinking is this.

When you create an account
• When customers who have Touch ID/Fingerprint capability create their accounts, they will be asked to allow Touch ID/Fingerprint.
• If, as a customer, you allow Touch ID/Fingerprint the app will default to requiring authentication to log in, and you’ll create a passcode as a backup.
• If you skip enabling Touch ID/Fingerprint, you’ll be asked to create a passcode and this will be required for log in.
• Payments under £1,000 to existing payees will not require additional authentication.
• Payments over £1,000 will continue to require your password.

After you have an account

• Once you have an account you can then choose to manage how you use Touch ID/Fingerprint in Login & Settings.
• You can choose not to require Touch ID/Fingerprint to log in (if you prefer to access your account more easily). With this option, because your app is more open, the app will default to requiring Touch ID/Fingerprint to authorise all payments (in other words, under £1,000 as well). For your account security you won’t be able to change that setting.
• We’ll remind you regularly if you have Touch ID/Fingerprint to log in disabled, to make sure you know it’s more secure to enable it.
Below are some screenshots (for iOS for now) of how this will look in app. Please let us know your thoughts. In particular, we really want to understand whether you understand how changing your log in preferences will affect the privacy and security of your data?

Would you be likely to have Touch ID/Fingerprint enabled or disabled for log in?



Closed my Starling account
iOS fingerprint instead of password thoughout app
Payments/Spending Suggestions
#2

I’d turn it off to open the app - nobody else can unlock my phone.

Will it work with infrared face scanning? :joy:


#3

For what it costs me, I’d be inclined to keep fingerprint active.

I like the proposal. Thankyou.


#4

I’d prefer to keep Touch ID enabled to open the Starling app, as I may give me phone to someone (once I’ve unlocked) and personally I don’t like to share my balance with anyone else other than my wife.

I like the idea of not having to enter a password for payments under £ 1,000.


#5

Finally. I personally will keep it disabled - my phone is already protected by a fingerprint and if someone were to bypass that there are way more important things on it anyway, so bad guys seeing how much I spent over the weekend would be the least of my worries.


#6

I always where possible use fingerprint to unlock apps, it makes things more simple and easier.


#7

In my opinion the more security the better, especially on a banking app. So I certainly would enable fingerprint option.


#8

Agreed, touch ID turned on all the way


#9

I guess it boils down to making the user feel comfortable. You’re asking somebody to put their trust (and money) in your hands, so anything that can make people less worried about doing so can only be a good thing in my opinion. So having opt-in security should hopefully please everyone :slight_smile:


Android fingerprint login
#10

I have a couple of concerns with the authentication in the app:

  • you call “passcode” what the rest of the world call “PIN”. 4/6 digits is a PIN, not a passcode. This is confusing
  • I can’t see fingerprint anywhere in the app, but somehow it’s active
  • I’m not too sure what the password is for, and how different it is from the passcode/PIN
  • I don’t understand why some options are present when you create the account but not after (like the fingerprint)
  • the login screen is ugly, doesn’t respect the theme of the app, and doesn’t indicate I can simply use my fingerprint (this was very confusing and required support, I had setup the app a few weeks prior I finally received my card and forgot I had setup the fingerprint)

Here is what I suggest for the Login and Security Options menu:

  • Log into app: choose between “Fingerprint”, “Password”, “PIN”, “No Security”
  • Change payments and payee details:
    • choose value for unprotected payments (you’ve suggested £1,000 by default)
    • choose between “Fingerprint”, “Password”, “PIN”, “No Security” for higher value payments
  • Set Password (if not set)/Change Password (if already set) and forgot Password
  • Set PIN (if not set)/Change PIN (if already set) and forgot PIN

if user chooses “No Security” in both warn them this is a very poor choice (but it’s theirs!)
if user chooses “No Security” and “PIN” warn them this is a poor choice (but it’s theirs!)
if user chooses “Fingerprint”, “PIN”, “Password” and this hasn’t been set yet send them to the screens that set “Fingerprint”, “PIN”, “Password” accordingly

When you create an account guide users through setting up security options (one screen for login with options above then one screen for Change payments and payee details with the options above).

I hope this makes sense.


#11

I’m probably not in your core demographic - too much of an old fart. Also, I work in cyber security, which makes me a cautious soul…

There’s some research out there that says fingerprints really aren’t very secure. Things are evolving with Apple embracing face recognition, too. They’re going to keep changing.

I know you’re in beta, but I wouldn’t be hasty about turning down any security controls. Your present model makes a lot of sense. Maybe it needs explaining better, and/or an explanation of why it’s good to keep “read only” mode separate from “write” (pay) … plus access to other critical data like CVV or card PIN reminder. And/or something to help people thing though their personal risk profile, and to choose settings accordingly.

That said, I was surprised when I needed a password to pay a low amount to someone I’d paid before: that seems a bit much.


#12

Unlike some here, I don’t unlock my phone with my fingerprint to let others fiddle around with it. Therefore if I don’t want application-based security I feel that’s my prerogative - particularly when I’m just opening the app to see my balance or check if a direct debit has been processed. That said, to make a payment to anybody irrespective of value, and maybe to access extended app functions (card settings, statements, and security settings) these items should always be protected by Touch ID.

Similarly, I’m not keen on the notion of being regularly reminded that Touch ID isn’t enabled. I’ll know it’s not enabled because I make that conscious decision NOT to enable it every time I open the app!

So whilst I appreciate Starling might want to accommodate the lowest common denominator, I would much rather we be considered intelligent fully-informed adults, and allow us fully-informed adults to make the decision whether Touch ID is necessary just to open the app.


#13

How is CVV critical? People here want it protected by up to three fingerprints (unlock phone, unlock app, show CVV) yet it is printed on the back of something you just carry around in a back pocket (your wallet isn’t fingerprint protected) and you’ll just give your card number and CVV to absolutely anyone on the telephone (what’s to stop them writing it down and selling it on?)


#14

Transfer wise I see no need to be asked for my password at all - an additional check screen for all transfers would be great detailing account number, sort code and amount asking me to perform some kind of action like enter a random number on the screen to confirm the payment rather than a simple tap to confirm just in case I had entered the wrong details but hit confirm instead of cancel which is easy to do at the moment.

I like fingerprint security for both my device and the app but giving users complete control of these security measures is definitely the way forward - setting arbitrary control levels such as £1000 doesn’t make sense, to some customers that is a huge amount, to others it’s a day’s work. This is the same for cash withdrawals - being able to set these limits yourself within the app would be the best way of giving all customers control of their money in a way that works for them.


#15

Yes, that.


#16

I don’t think giving a user the option to select no security should be available regardless whether that user acknowledges the fact they are daft enough to select this option. For starling to offer this (I don’t think they would) they’d be shirking away from certain responsibilities that would apply to anyone providing a service I.e. protecting your data. And I’m pretty sure that should this be an option and Someone chose it and their details were compromised the authorities would side with the victim because the service provider I.e starling allowed it to happen. Regardless of how careful you think you are there is always someone one step ahead of you


#17

A lot of websites don’t actually ask you for the CVV anyway, including Amazon. So the CVV isn’t actually as important as people make out.


#18

Finally some common sense.


#19

This, definitely.


#20

I see Starling’s point about the reminder, but at the same time I get @philby 's as well. Not sure I want the ongoing warning - I’d tire of that.