Ubank has removed the option to log in with a pin from their mobile app and now essentially forces users to switch to PassKey.
I agree that PassKey offers better protection against phishing attacks, but I'm uncomfortable with using the same authentication method I use to unlock my phone for accessing my finances. If I’m unconscious for any reason, couldn't someone just use my fingerprint/face to log into my banking app?
Perhaps I'm missing something, but how does this improve security?
Can you test FaceID with sticky tape?
LOL LOL LOL
enable pin?
There's no option to enable pin in the latest version of the app.
I was perfectly happy with the fingerprint to unlock phone + pin to log into the app.
Now it's fingerpint+fingerpint, which doesn't make sense.
no, i mean pin to unlock your phone. for my tablet that has my banking apps on it, i set a pin to unlock the phone and then a pin to unlock ubank
Like I said, the latest version of Ubank app doesn't have the option to set a separate pin for it anymore.
yes, you are right. the pin to log into ubank is the phone unlock pin
I can still login using a pin but once I have logged in it is giving me an option of updating a passkey. I will just ignore it until they force me to do it.
Perhaps I'm missing something, but how does this improve security?
Prevents phishing
Nope. You still need to enter the password+OTP to login to the app on another device, so knowing my pin won't help the hackers.
Geee if I don’t know what phishing means what should I do
If you have people like that around you when you are unconscious then them breaking into your bank account would seem to be the least of your problems.
$5 wrench
Are you often in an unconscious state where people can access your phone?
Maybe you should see a doctor or reconsider your life choices….
RUOK?
Things happen - heart attacks, car accidents. It's not about life choices.
remove it from your phone if you're that paranoid
Wow, such a helpful advice, thanks.
why do banks do this, they must think we are stupid. how can you share the same credentials with multiple authorised users. This is a absolutely ridiculous
Well, exactly. Maybe I want everyone in my family to be able to unlock my phone, but I don't want them to have access to my banking apps.
The phone app will use faceid again before opening the front page. Just unlocking the phone will not unlock the bank app. Is that your confusion?
My wife can unlock my phone with her fingerprint. I assume this means that she automatically has access to all apps protected with Passkey. Am I wrong?
My wife can unlock my phone with her fingerprint. I assume this means that she automatically has access to all apps protected with Passkey.
LOL you are giving her full access to your phone and blaming the bank for a logical decision? What do you expect will happen?
@soan papdi: That’s the point I’m trying to make! Your phone’s PIN shouldn’t act as a master password for all the apps on your device. It’s like having the same key for your front door and your safe with all your valuables.
@doperst: I agree with you, my bank apps use a separate pin (like UBank used to) but they now also use the biometric again when the app opens (after unlocking the phone). My wife can unlock my phone with the pin but cannot unlock the bank app with faceid.
The problem here is that you have handed over biometric access to another person willingly but yet want privacy. Phones are not designed to be multi-user like how PCs are.
My wife can unlock my phone with the pin but cannot unlock the bank app with faceid.
Are you sure there's no option to log to the bank app with the phone pin? Try covering the front camera, there should be a small link - "Use pin"
Are you sure there's no option to log to the bank app with the phone pin? Try covering the front camera, there should be a small link - "Use pin"
The phone's pin and bank app's pin are not the same. So yes, even if I block the camera to disable faceid, the bank app asks for its pin, not the phone unlock pin.
@soan papdi: I meant the phone's pin.
As I understand, when Passkey is enabled, it uses all methods of authentication available on your phone - pin, fingerprint, faceID. So the phone pin can be used to login to the banking app. (unless there's an option to disable it, but I couldn't find it)
Also, like I said, there's no such thing as bank app pin in the latest version of Ubank app, they removed it.
@doperst: I am not with UBank, so can't verify what you want. I still maintain that you should not be allowing biometric access to another person. FWIW Up is like this too. Their app doesn't have any authentication, just unlock the phone and open the app. I was able to add "require faceid" for the app on iOS18 but looks like UBank feels the same way now.
@doperst: AFAIK, a passkey is one specific form of biometric authentication. Like, if you choose FaceID, it will be only one specific face. Your OS (iOS/android/PC) can tell the app which ones are already enrolled and make the process of verifying the auth when you open the app easier for the app, because it can match the face to the known faces it already has, but it is not actually allowing all ways (faces) you can login to the phone itself.
When you create the passkey with faceid, try unlocking the app with a different face that the phone would allow. If I'm wrong please let us know here.
@doperst: iOS 18 allows you set PIN codes for individual apps I believe, not sure about Android as I do not use that MobileOS
What phone you have?
Samsung has secure folder.
Actually, this is a good idea. I can enable App Lock for banking apps with a different authentication method (a pin or pattern). Thanks!
You can revert back to password + OTP.
Surely it's less likely someone will find a way to get you to unwillingly use your fingerprint than it is for someone to take your phone and use a PIN they saw while peeking over your shoulder.
It's unlikely that my phone will be unlocked. So they will need to unlock it first.
Biometrics to unlock + pin to login to the app means two layers of protection. Biometrics+biometrics is just one.
Passkeys will likely be the norm in a couple of years. May as well get used to it. You can use another app like 1Password to manage your passkeys instead of the phone if you want to keep it separate.
Passkeys will likely be the norm in a couple of years.
Nope. ADM will take over by then…
Agreed, passkeys are better than passwords not really an opinion thing. Funny to see such a strong reaction.
Passkey is crap.
I emptied my ubank accounts because of this. I got an iPhone and don’t use iCloud so I can’t use passkey.
I just opened Macquarie bank accounts, where you can transfer directly out of the savings account like Ubank used to allow.
It’s almost as if ubank is intentionally trying to prompt customers to leave with each charge they make to the system
Yeah, I hate their new website and their new app. Half of the features they used to have in the past are gone.
Luckily I don't use it that often. Can't imagine doing my everyday banking with Ubank.
Does ubank support external FIDO2 passkeys? Something like a NFC Yubikey for example?
That could enable you to share your phone without sharing the passkey.
I use OnePlus phone.
For privacy, there are App lock, Hide apps, and Private Safe in the phone Settings.
With App lock enabled, after I unlock my phone, I need to unlock certain apps that I have included in "App lock" either with Fingerprint, Face, or Pattern (choose which one to use or all). So, I can set like Fingerprint to unlock my phone, then need "Pattern" to unlock bank apps for example.
For more privacy, maybe Hide certain apps in "Hide Apps" settings. Sensitive/private files can be put inside "Private Safe"
Login with Passkey doesn't work for Boost Mobile website in my phone. Maybe because the Passkey was in my previous broken phone. So, I have to use password to login into Boost Mobile website. Or create a new Passkey in my current phone.
So, I can set like Fingerprint to unlock my phone, then need "Pattern" to unlock bank apps for example.
Yeah, his is what I ended up doing.
It bothers me that we have to use third-party solutions to increase the security of banking apps.
Passkeys are a replacement for passwords. They're faster to sign in with, easier to use and much more secure.
Passkeys are a replacement for passwords that are designed to provide a more convenient, more secure, passwordless sign-in experience on websites and apps. Passkeys are a standard-based technology that, unlike passwords, are resistant to phishing, always strong and designed so that there are no shared secrets.
Source
Passkeys are just better, passwords are bad, really bad. While I get not liking change, I would do a little more research on why they are being pushed so hard by big tech companies. Here's a nice video if you don't like reading, or passkeys.com goes a little more in depth on why they are so good. Are they perfect? No, but it's a good improvement over passwords even with 2FA.
I’m not saying passwords are better - I'm saying that a passkey alone isn’t enough security for a banking app. Yes, it does provide much stronger protection against remote attacks, but unlocking your phone shouldn’t automatically grant access to your bank account.
Think about it: a mugger could knock you out, use your finger to unlock your phone, and then access your banking app to drain your life savings. Or your kid, who knows your phone’s PIN, could use it to buy loot boxes in a game with your card.
These kinds of scenarios shouldn’t be possible. There needs to be an extra layer of security for sensitive apps.
Bad enough they force me to use passkey but the face recognition on their app sucks. After few failed attempts I had to use passcode anyway
Can someone tell me what's the difference using Samsung pass key and just use phone biometric?
From my reading and seeing how it's been implememted, Passkeys are for speed & convenience, definitely not security. Which is bad for banking apps. Using the same "token" to open a device and sensitive apps is just insane.
The old ubank app (and other banking apps) need an unlocked device & a UNIQUE PIN to open the app. That pin is useless to anyone else who doesn't have your unlocked phone. Hackers & phisers can't use this info. It acts in the same way as a passkey ie. device specific.
I agree with others, fingerprint to unlock phone for convenience, but no way I also want it to open any sensitive apps.
The crazy thing is ubank asks to set a pin when setting up the app, I don't know why it does that anymore. I does give you a choice to use password & otp to open the app instead of passkey, but the kicker I found out later after creating what I thought was the app password, it changed my web banking password too. So much for trying to have security.
App deleted.
Having trouble here too
Have tried this passkey, apart from the extra step, sometimes app unresponsive on relogin - need to close the app and run again.
FaceID doesn’t work with eyes closed. Just remember to close your eyes when you faint.