What is mPIN code and does it fit in new mobile banking era?

News & Publications

Irina Latushkina

By Irina Latushkina, CBDO

Every digital financial market is unique. In one and the same macro-region you will find a lot of peculiarities related to different countries. This is what I see distinctly in APAC region. The last couple of years I used to spend at least 1/3 of the year in Indonesia, so I found some very typical features here.

Being here I feel very safe in my daily life actually: super friendly and hospitable people – not because of moral norms, rules or anything but just by nature. But as well as I feel super safe in my day-to-day operations, in the same way I feel totally unsafe when I talk to local digital and security teams.

Obviously, mobile banking channel is the most popular here although it is still well-combined with web-banking tools. One of the most popular way to protect mobile bank as I got to know is mPIN, mobile pin-code. And tell you the truth, this is neither convenient, nor secure.

From the legal point of view, OJK – local regulator in a banking sector in Indonesia – requires two-factor authentication for log-into the banking app or producing mobile banking operations. Definitely, following a general approach to strong client authentication, OJK allows to combine any types of factors: something you know, something you have and something you are. In case of internet bank experience, it’s easy to offer soft-token as a confirmation tool but this can be barely applicable to mobile-centric approach. So, banks mostly use a combination of mPIN (“something you know”) and touch ID/Face ID (“something you are”). Legally, this authentication tools complies with local regulation requirement. But let’s explore the technical side of this approach.

What is mPIN?

In fact, it’s just a static password. From the first sight, such an approach seems to be the simplest and the cheapest from many perspectives. But in fact, as soon as bank starts offering mPINs, bank’s security team has to care about a way to protect this password: from internal fraud, direct attack on the bank’s server, from any kind of spyware that can be installed on the client side, phishing links delivered via SMS or messengers. Security team will reasonably request a budget for HSM (hardware security modules) to authenticate such an mPIN in a tamper-resistant way. In other words, mPIN is the cheapest option if you don’t want to know anything about hidden costs.

At the same time, if any critical operation like password change – which should be a part of security routine hygiene – is confirmed with SMS OTP, then bank should stay true: clients are at risk. Because in this case it’s pretty easy to hijack such an OTP and take over the account using stolen credentials.

“Security amulets”

Many banks prefer no-changes position in combination with “security amulets” – big billboards with banners saying “do not share your credentials or OTP codes with anyone”. But in 2023 when based on Gartner reports there are more than 200 authentication solution developers globally, such a position looks more like responsibility shift – as if bank’s clients have to care about security on their own. “Amulets” no longer work for that.

“Amulets” do not work as well in case of intrusion into communication channel between a bank and banking app, they do not work in case of transaction detail replacement in a background – as well as mPIN cannot guarantee integrity and non-repudiation of bank transaction.

mPIN UX

Apart from security risks, one of the thing me personally do not like about mPIN is the annoying need to input this password every time the client makes in-app operation. Basically, it takes around 10-15 seconds to log-into app if you use static password and Touch ID.

In Indonesia with a big number of alternative payment solutions, banks should be strong to win a competition for daily payments.

Ok, what is the solution then?

You may ask this question and I will try to answer without adds in it. The solution lies in reconsidering security or at least serious consideration of a new passwordless authentication approach: based on cryptographic algorithms, with strong linkage with the device and transaction details. Security should be strong but invisible for the client.

Imagine that it would be possible to authenticate clients using a security key that they don’t even need to remember, but can simply activate with a fingerprint from an exact device? What if security team could help the digital one to reduce time of confirmation from 10-15 seconds to 2 seconds? All this is real and already works.

https://www.finextra.com/community/members/previewblog.aspx?blogid=24243