Authentication.

[Dave Plowman (News)]

Bought something online - about 500 quid - from a pretty large well known
company. Filled in all the usual details. On the PC.

Paid by Barclaycard.

Said it needed authentication and gave me a choice of how - I chose the
Barclays App.

To get into my phone needs my fingerprint. And again to get into the
Barclays App. It then asked for (I think) a 5 digit code. And no idea what
that is, as I don't remember ever using it.

Very odd. One of the other authentication choices is an SMS sent to the
same phone with a code. And I can access that from the phone without
needing any additional code. Or even my fingerprint again.

--
*If you can read this, thank a teecher

Dave Plowman da...@davenoise.co.uk London SW
To e-mail, change noise into sound.

[Michael Chare]

On 29/06/2022 15:19, Dave Plowman (News) wrote:
> Bought something online - about 500 quid - from a pretty large well known
> company. Filled in all the usual details. On the PC.
>
> Paid by Barclaycard.
>
> Said it needed authentication and gave me a choice of how - I chose the
> Barclays App.
>
> To get into my phone needs my fingerprint. And again to get into the
> Barclays App. It then asked for (I think) a 5 digit code. And no idea what
> that is, as I don't remember ever using it.
>
> Very odd. One of the other authentication choices is an SMS sent to the
> same phone with a code. And I can access that from the phone without
> needing any additional code. Or even my fingerprint again.
>

I ordered a TV online from John Lewis for a similar amount. I was abroad
at the time (Switzerland). Barclaycard tried to send a code to my
mobile phone which never arrived. In the end I was able to pay using
Paypal. The sent a code to my phone which did arrive. Paypal then
passed on the charge to Barclaycard!

[John Rumm]

On 29/06/2022 15:19, Dave Plowman (News) wrote:

> Bought something online - about 500 quid - from a pretty large well known
> company. Filled in all the usual details. On the PC.
>
> Paid by Barclaycard.
>
> Said it needed authentication and gave me a choice of how - I chose the
> Barclays App.
>
> To get into my phone needs my fingerprint. And again to get into the
> Barclays App. It then asked for (I think) a 5 digit code. And no idea what
> that is, as I don't remember ever using it.
>
> Very odd. One of the other authentication choices is an SMS sent to the
> same phone with a code. And I can access that from the phone without
> needing any additional code. Or even my fingerprint again.

The banking app passcode is one option at login - but if you have
fingerprint enabled, then it normally pops up over the prompt for the
passcode when you start the app, so you may not see it usually.

However it will request it for some authentication tasks, where there is
the possibility that the owner of the fingerprint is "under duress" (or
no longer attached to it!)

https://www.barclays.co.uk/help/mobile-banking/login-setup/forgot-passcode/

(so it would have been something you set when setting up the app the
first time)


--
Cheers,

John.

/=================================================================\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\=================================================================/

[Andy Burns]

John Rumm wrote:

> The banking app passcode is one option at login - but if you have fingerprint
> enabled, then it normally pops up over the prompt for the passcode when you
> start the app, so you may not see it usually.
>
> However it will request it for some authentication tasks

For me it asks for a 5 digit PIN (not my card PIN) either when I use the phone's
PINsentry (won't accept fingrprint) or every once in a while it wangts PIN
instead of fingerprint.

But I think several times Dave has mentioned his barclays account, it seems to
behave slightly differently from other peoples, if you can sign in with
fingerprint, under [...] Settings, Login&Security, do you get the option to
Change Log-in Passcode?

[Harry Bloomfield Esq]

Andy Burns brought next idea :

> But I think several times Dave has mentioned his barclays account, it seems
> to behave slightly differently from other peoples, if you can sign in with
> fingerprint, under [...] Settings, Login&Security, do you get the option to
> Change Log-in Passcode?

All of my accounts accessible via my Iphone, are able to use a finger
print - the very same one as used to open the phone up. It also works
for contactless payments.

I have the phone set to accept either a left or right thub print.

[Mike Halmarack]

On Wed, 29 Jun 2022 15:19:43 +0100, "Dave Plowman (News)"
<da...@davenoise.co.uk> wrote:

>Bought something online - about 500 quid - from a pretty large well known
>company. Filled in all the usual details. On the PC.
>
>Paid by Barclaycard.
>
>Said it needed authentication and gave me a choice of how - I chose the
>Barclays App.
>
>To get into my phone needs my fingerprint. And again to get into the
>Barclays App. It then asked for (I think) a 5 digit code. And no idea what
>that is, as I don't remember ever using it.
>
>Very odd. One of the other authentication choices is an SMS sent to the
>same phone with a code. And I can access that from the phone without
>needing any additional code. Or even my fingerprint again.

These new super safe security methods are a life saver and a killer
all rolled into one.
--

Mike

[Brian Gaff]

Yes I hate all of that. One big issue the blind are having is banks wanting
you to use plug in keypads on computers, but they do not supply them with
buttons any more just a flat touch screen, which is about as useful as a
chocolate teapot to us.
I do sometimes think on the way to trying to make stuff super secure they
seldom think it through and then wonder why everyone starts complaining.
Look at the hoops I had to go through to get access to my gmail account
again in June.
Brian

--

--:
This newsgroup posting comes to you directly from...
The Sofa of Brian Gaff...
bri...@blueyonder.co.uk
Blind user, so no pictures please
Note this Signature is meaningless.!
"Dave Plowman (News)" <da...@davenoise.co.uk> wrote in message
news:5a002eb...@davenoise.co.uk...

[fred]

There is an element of bluff in these security questions. I was once asked where was I born. I had never given this information to any app. Our companies banks lost our recored one time (it does happen) It didnt stop them asking for a date of birth which they couldn't check.

[Rod Speed]

Brian Gaff <brian...@gmail.com> wrote

> Yes I hate all of that. One big issue the blind are having is banks
> wanting
> you to use plug in keypads on computers, but they do not supply them with
> buttons any more just a flat touch screen, which is about as useful as a
> chocolate teapot to us.

I just use the fingerprint sensor on the iphone.

> I do sometimes think on the way to trying to make stuff super secure
> they
> seldom think it through and then wonder why everyone starts complaining.

> Look at the hoops I had to go through to get access to my gmail account
> again in June.

I didn't have to do a thing because I use the gmail app on my iphone.

[Peeler]

On Thu, 30 Jun 2022 18:55:08 +1000, cantankerous trolling geezer Rodent
Speed, the auto-contradicting senile sociopath, blabbered, again:

<FLUSH the abnormal trolling senile cretin's latest trollshit unread>

--
John addressing the senile Australian pest:
"You are a complete idiot. But you make me larf. LOL"
MID: <f9056fe6-1479-40ff...@googlegroups.com>

[Max Demian]

One problem is the question might be rather obvious, like the make of
your first car (Ford). Others could be ambiguous, especially problematic
if you are typing the answer into a field on a form or telling a
pedantic agent; if it's the name of your secondary school, did you
include the word school? Or you might have gone to more than one: which
one did you tell them when setting up the account? Or you might just
make a mistake, like forgetting a foreign school trip when asked which
foreign country you first visited.

--
Max Demian

[jkn]

I *never* put the 'right' answers into these kind of things; I just put random
replies in, different for each site:

What was the name of your first school: teapot
Where were you born: Saturn

etc. Of course you then have to have a way of looking them up afterwards.
I use Keepass: https://keepass.info/

[Andrew]

I set up a 12 digit lock pin for the phone and then when I installed
the Barclays App it wanted me to set up just a 5 digit pass code.

Later on I changed the phone to accept face recognition which it does
during the day but at the first use of the day the phone demands the
12 digit pin, however the Barclays App always requests the 5 digit
pass code.

[Roger]

On Thu, 30 Jun 2022 05:17:56 -0700 (PDT), jkn
<jkn...@nicorp.f9.co.uk> wrote:

>Where were you born: Saturn

You are Sun Ra and I claim my five pounds.
--
Roger

[jkn]

Funnily enough, I met that well-known bonkers-person,
Lee 'Scratch' Perry, once, and he said to me (on account
of a ... personal pecadillo)

"Wow man ... are you from Saturn?"

(I don't actually have the ringed planet as the answer to
any authentication questions)

J^n

[John Rumm]

You ought to be able to login to the app with a biometric, but if you
are asked to confirm a transaction (or possibly use the pin sentry code
generation), it always wants the passcode.

[Dave Plowman (News)]

In article <ji3ea0...@mid.individual.net>,

Andy Burns <use...@andyburns.uk> wrote:
> But I think several times Dave has mentioned his barclays account, it seems to
> behave slightly differently from other peoples, if you can sign in with
> fingerprint, under [...] Settings, Login&Security, do you get the option to
> Change Log-in Passcode?

I have remembered my 5 figure password I set up. Just not sure why it
wants that in addition to my print. Even more so when the alternative is
an SMS message with a code anyone with access to my phone could use?

--
*By the time a man is wise enough to watch his step, he's too old to go anywhere.

[Andy Burns]

Dave Plowman wrote:

> I have remembered my 5 figure password I set up. Just not sure why it
> wants that in addition to my print.

It wants PIN instead of a biometric

If you know you're going to do e.g. a pinsentry transaction, you can click
cancel at the fingerprint screen and skip straight to the PIN screen, avoiding
the double authentication.

[Dave Plowman (News)]

In article <t9k8g8$1tsje$1...@dont-email.me>,

John Rumm <see.my.s...@nowhere.null> wrote:
> You ought to be able to login to the app with a biometric, but if you
> are asked to confirm a transaction (or possibly use the pin sentry code
> generation), it always wants the passcode.

OK. That and pin sentry are pretty secure. But a code sent as an SMS?

--
*Go the extra mile. It makes your boss look like an incompetent slacker *

[Mike Clarke]

On 30/06/2022 15:38, Dave Plowman (News) wrote:
> I have remembered my 5 figure password I set up. Just not sure why it
> wants that in addition to my print.

Probably because the app doesn't know what level of security you use to
access your phone therefore it doesn't trust the phone and wants
confirmation that the person using it knows the password

[Andy Burns]

On 30/06/2022 15:49, Mike Clarke wrote:

> Probably because the app doesn't know what level of security you use to access
> your phone therefore it doesn't trust the phone

The barclays app on android doesn't care if you've only recently unlocked the
phone by pin or finger print, the app wants the app pin (not the phone pin)
entering, or the fingerprint touched *for* the app.

It has no concept of "oh you entered your pin within the last N seconds, I won't
bother asking again"

[John Rumm]

On 30/06/2022 15:40, Dave Plowman (News) wrote:
> In article <t9k8g8$1tsje$1...@dont-email.me>,
> John Rumm <see.my.s...@nowhere.null> wrote:
>> You ought to be able to login to the app with a biometric, but if you
>> are asked to confirm a transaction (or possibly use the pin sentry code
>> generation), it always wants the passcode.
>
> OK. That and pin sentry are pretty secure. But a code sent as an SMS?

Codes via SMS are less secure in general... The passcode on the app
should never be sent via SMS though, or am I missing the point?

[John Rumm]

On 30/06/2022 15:38, Dave Plowman (News) wrote:

> In article <ji3ea0...@mid.individual.net>,
> Andy Burns <use...@andyburns.uk> wrote:
>> But I think several times Dave has mentioned his barclays account, it seems to
>> behave slightly differently from other peoples, if you can sign in with
>> fingerprint, under [...] Settings, Login&Security, do you get the option to
>> Change Log-in Passcode?
>
> I have remembered my 5 figure password I set up. Just not sure why it
> wants that in addition to my print. Even more so when the alternative is
> an SMS message with a code anyone with access to my phone could use?

With thinks like confirmation of a web based purchase, where the card
security check on the web site offers verification via the app, the app
only needs the passcode (and will accept nothing else) - to verify the
transaction. You may use the biometric just to get into the app however.

Having the option of a OTP via SMS as well, does weaken the whole system
a little though. Not sure if that can be removed as an option.

[The Natural Philosopher]

On 30/06/2022 13:17, jkn wrote:
> I*never* put the 'right' answers into these kind of things; I just put random

> replies in, different for each site:
>
> What was the name of your first school: teapot
> Where were you born: Saturn

In my case 'what is the name of your pet budgerigar?'
'I don't have a pet budgerigar'


--
There is something fascinating about science. One gets such wholesale
returns of conjecture out of such a trifling investment of fact.

Mark Twain

[Dave Plowman (News)]

In article <ji5skr...@mid.individual.net>,

Fooking typical. They just do it to annoy me. But thanks for confirming
it.

--
*A dog's not just for Christmas, it's alright on a Friday night too*

[Dave Plowman (News)]

In article <t9khji$1utpk$2...@dont-email.me>,

John Rumm <see.my.s...@nowhere.null> wrote:
> On 30/06/2022 15:40, Dave Plowman (News) wrote:
> > In article <t9k8g8$1tsje$1...@dont-email.me>,
> > John Rumm <see.my.s...@nowhere.null> wrote:
> >> You ought to be able to login to the app with a biometric, but if you
> >> are asked to confirm a transaction (or possibly use the pin sentry code
> >> generation), it always wants the passcode.
> >
> > OK. That and pin sentry are pretty secure. But a code sent as an SMS?

> Codes via SMS are less secure in general... The passcode on the app
> should never be sent via SMS though, or am I missing the point?

When I paid online, I (assume) Barclay Card wanted further authentication.
Gave me the choice of using the Barclays App, pin sentry (on line, I
assume) or sending me a *one off* code via SMS. Not having needed this
before I decided to try the Barclays' app. When I couldn't remember the
log in code, it refused the transaction totally, on trying again.

So paid by debit card and got the authorisation via a text message.

--
*If we weren't meant to eat animals, why are they made of meat?

[John Rumm]

On 01/07/2022 14:34, Dave Plowman (News) wrote:
> In article <t9khji$1utpk$2...@dont-email.me>,
> John Rumm <see.my.s...@nowhere.null> wrote:
>> On 30/06/2022 15:40, Dave Plowman (News) wrote:
>>> In article <t9k8g8$1tsje$1...@dont-email.me>,
>>> John Rumm <see.my.s...@nowhere.null> wrote:
>>>> You ought to be able to login to the app with a biometric, but if you
>>>> are asked to confirm a transaction (or possibly use the pin sentry code
>>>> generation), it always wants the passcode.
>>>
>>> OK. That and pin sentry are pretty secure. But a code sent as an SMS?
>
>> Codes via SMS are less secure in general... The passcode on the app
>> should never be sent via SMS though, or am I missing the point?
>
> When I paid online, I (assume) Barclay Card wanted further authentication.
> Gave me the choice of using the Barclays App, pin sentry (on line, I
> assume) or sending me a *one off* code via SMS. Not having needed this
> before I decided to try the Barclays' app. When I couldn't remember the
> log in code, it refused the transaction totally, on trying again.

Yup, that seems to be the way it is supposed to work. The Barclays app
will let you login with just a fingerprint, but won't let you verify an
online transaction that way...

> So paid by debit card and got the authorisation via a text message.

While you can see why that option needs to be there, it does rather
weaken the security advantage provided by the in app verification.

Still it illustrates that the best way to break most secure systems is
not to tackle the security head on, but find a way round it altogether. :-)

[John Rumm]

On 01/07/2022 14:26, Dave Plowman (News) wrote:
> In article <ji5skr...@mid.individual.net>,
> Andy Burns <use...@andyburns.uk> wrote:
>> On 30/06/2022 15:49, Mike Clarke wrote:
>
>>> Probably because the app doesn't know what level of security you use
>>> to access your phone therefore it doesn't trust the phone
>
>> The barclays app on android doesn't care if you've only recently
>> unlocked the phone by pin or finger print, the app wants the app pin
>> (not the phone pin) entering, or the fingerprint touched *for* the app.

IME all the banking apps that accept biometric identification capture
their own sample, and don't use the set used by the OS for unlocking the
device itself.

[Andy Burns]

John Rumm wrote:

> IME all the banking apps that accept biometric identification capture their own
> sample, and don't use the set used by the OS for unlocking the device itself.

The barclays app must talk to the android biometric API ...

I have one finger from each hand registered with the phone, and they both work
with the phone itself plus a couple of apps. I just added a third finger to the
phone, wondering if the app would let me in with it.

As soon as I launched the app it said "your biometrics have changed, so have
been disabled"

I went into the app, re-enabled biometric, it needed the banking PIN entering,
but after that all three fingers work for the banking app, so a reasonably
secure way to not let someone sneakily add their finger as a way into your bank,
because if they know the PIN they're already into your bank.

[John Rumm]

ok this is interesting - I remember when I installed a number of banking
apps they wanted me to submit a print "in app" as such. The implication
being that it would not necessarily be the same as that used to access
the phone.

However I just tried logging into a couple of them with with a finger
that the phone knows, but I don't remember teaching the app, and it did
work.

So I take back what I said, it looks like it does now work with the
phone recorded biometrics.

(The detected change thing is a nice feature is a nice touch - as you
say it stops someone adding a "backdoor" finger!)

[John Rumm]

Thinking more about this - the app scanning a print, may just be the app
verifying that you have a print the phone already knows about before
allowing access to the app - rather than it capturing its own data...