Epic: SM-1811 - IAM: Authenticate and authorize with step up requirement (MVP-P1) Resolved
JIRA: SM-1831 - Login to app with face matching (Step-up) Cancelled
Priority:
Effort estimate:
Review status: in preparation/ready to review/approved
As a Customer I want to login using face matching option so that I confirm my identity and access the app
Role: Customer
Objective: confirm identity and access the app
Reason: Confirm customer identity using face matching
Functional requirements:
Slacker https://safibank.atlassian.net/l/cp/mq55Wj1m as a decision point to assess the risk evaluation of operation. Based on the risk assessment, the calling service should make a decision whether or not to request step-up. Slacker response will be either approve or reject or Step-up
IAM interaction with Slacker regarding step up functionality https://safibank.atlassian.net/l/cp/mq55Wj1m
Conditions:
Registered Customer did not manage to login using credentials and passcode/password
Registered customer needs to know passcode/password/device biometrics in order to proceed
Device fingerprint (Advance AAI) needs to be set, used to collect all relevant device data. Once collected device data is sent to Slacker
Slacker decides if/what further action is required.
If required, Customer is forwarded to complete Face Matching (Step-Up)
Registered Customer has verified ID
https://safibank.atlassian.net/l/cp/11qdaP42 Step Up procedure shown in detail
UI requirements:
Process flow: n/a
Execution steps: n/a
Internal dependencies: Onboarding, SM-551 - Liveness check Done https://safibank.atlassian.net/l/cp/11qdaP42
External dependencies: 3rd party prerequisites
Alternative scenarios: what would happen if not done (optional)
Acceptance criteria:
Used from Onboarding.
Record video of face so that customer liveness can be checked
Customer has verified ID
Customer is given instructions based on the real positioning.
only Customer who has been assessed as a live person as well as a Customer with matching face to the face provided on the ID can receive a positive outcome of facial verification.
In case of OK result, liveness ID and score is stored within Customer profile.
Customer failing in one of the conditions above can repeat the liveness check and or is forwarded to perform vKYC SM-1832 - Login to app with vKYC (Step-up fallback) Cancelled
Links to wireframes/UI: https://www.figma.com/file/dkDQHRa1zq7tU58MiL6hBR/SaFi---UI---MVP-(Shared)?node-id=484%3A7873 https://www.figma.com/file/dkDQHRa1zq7tU58MiL6hBR/SaFi---UI---MVP-(Shared)?node-id=484%3A8038 https://www.figma.com/file/dkDQHRa1zq7tU58MiL6hBR/SaFi---UI---MVP-(Shared)?node-id=484%3A7889
Technical Analysis
As we discussed with Ion Mudreac on the call on 28 Oct, 2022, PKI signatures and the secure store is so secure that there is no need to apply DFP on top of it. Rephrased, we can say the following: if the secure store is compromised, the phone is compromised at a level that no other phone based auth mechanism can provide an appropriate level of security. (Note1: the refresh token used for classic token based auth is also stored locally and access to it also provides full access as the customer. Note2: if the key in the secure store can be accessed by an attacker, most probably they can also save the password the user types in.)
However, fraud may require us to provide logging capabilities for failed login attempts, for which we can do best effort or an enforced one by implementing the login flow. This will be handled in a different user story.
Archive
DFP-based Step-up
This story covers the case when the user knows the credentials (passcode/password/biometrics) because not knowing them (failing it in the case of biometrics) but still allow login based on other authentication mechanism is a very different case.
ForgeRock implementation
Note that this diagram is an extension of the one in Use the app on new device
Attachments:
plantuml_1658313568815.svg (image/svg+xml)
plantuml_1658313568815.png (image/png)
plantuml_1666714897235.svg (image/svg+xml)
plantuml_1666714897235 (text/plain)
plantuml_1666714897235.png (image/png)
plantuml_1666714897235 (text/plain)
plantuml_1666714897235.svg (image/svg+xml)
plantuml_1666714897235.png (image/png)
plantuml_1666714897235 (text/plain)
plantuml_1666714897235.svg (image/svg+xml)
plantuml_1666714897235.png (image/png)
plantuml_1666714897235 (text/plain)
plantuml_1666714897235.svg (image/svg+xml)
plantuml_1666714897235.png (image/png)
plantuml_1666714897235 (text/plain)
plantuml_1666714897235.svg (image/svg+xml)
plantuml_1666714897235.png (image/png)