User Authentication

  1. PINs and passwords should not be easily guessable and weak credentials should be disallowed; however, users should not be forced to change passwords on a regular basis.

  2. Multi-factor authentication before performing financial or other sensitive functions is strongly encouraged.

  3. Smartphone authenticator apps should be used for sending one-time passwords rather than SMS due to the possibility of SS7 hijacking and other insecurities.

  4. If biometric information is used for authentication, it must be stored with appropriate security measures such as encrypted in the Android Keystore or with the use of trusted hardware.

Last updated