NPCI may be planning to dump OTPS and PINS for UPI transactions, may go with bio-metrics

> Initially, both PIN and biometric authentication methods are likely to coexist, providing users with multiple options for transaction verification.

One can hope for these options to stay forever.

> The move towards biometric authentication aligns with the RBI's preference for more secure verification methods to combat financial fraud. By leveraging the built-in biometric capabilities of modern smartphones, NPCI aims to enhance the security and user experience of UPI transactions.

These lines give weird intends....
It will make UPI transactions more easier and secure slightly more, but privacy of individuals will go for a toss, moving citizens inch by inch towards a totalitarian dystopia.
 
  • Like
Reactions: jayanttyagi
Imagine someone sleeping in a bus
A thief takes their phone out of their pocket
Presses the person's finger to unlock it
Presses the finger again to empty their bank account
Bank says the victim is SOL since the transaction was biometrically authenticated so can't be disputed
It would have been more convenient to carry cash in pocket, which can be used even in areas without network

It's mind blowing that every day we move closer to digital thumb impressions, while in rural areas only the illiterate use it.
 
  • Like
Reactions: jayanttyagi
Absurd thread.

How deep is your sleep that someone can hold your finger and press it against your phone and that won't wake you up?

And there's no compromise in privacy. Android doesn't allow apps to access data from the fingerprint sensor. All authentication goes through Android core system APIs. You can only ask the OS to perform biometric authentication and then the OS will tell you if it was a success or a failure.

If UPI uses this, then just like how apps can't ask for PIN and pass it to NPCI, apps will also not be allowed to pass on biometric authentication. NPCIs web page will trigger a WebAuthn request and interpret the result directly.

For those who don't know, the page on which you enter your UPI PIN is not on the UPI app, but an npci webpage displayed using webview APIs of android or iOS. The UPI app never gets your PIN.
 
There are multiple failure point when you're going to use only biometric authentication use. Broadly categoried as two i.e. Technical and End User.
UPI have proven very secure till now on technical front. They have harden the system and difficult to breach. It can still be breached and possibility is always there because of complexity of technology.

Most of the problem arises when it's come to end user. We've already seen multiple instance where even technical savvy, graduate, smart ass became victim of UPI (more of financial fraud). Using biometric (finger) verification while someone in sleep is very much practical. There are legit scammer who will convience you/your family member to use biometic to do these financial fraud.
 
How deep is your sleep that someone can hold your finger and press it against your phone and that won't wake you up?
Are you seriously saying you can feel your finger tips while you are sleep?

Using biometric (finger) verification while someone in sleep is very much practical.
Exactly. Face scanner might be more "secure" than fingerprint since it needs your eyes to be open.
 
Absurd thread.
Well interesting you say that. On the contrary, it is reasonable to say that use of biometrics at scale is absurdly ignorant of risks. Particularly because we can change passwords, but biometrics cannot be changed, hackers keep at it and will keep succeeding in finding vulnerabilities on and off, and even one breach will put the concerned citizen at risk potentially through their lives.
 
  • Like
Reactions: Stronk
Are you seriously saying you can feel your finger tips while you are sleep?
Yeah, if someone holds my finger when I'm asleep, that will most definitely wake me up, let alone pressing it against my phone twice.
Well interesting you say that. On the contrary, it is reasonable to say that use of biometrics at scale is absurdly ignorant of risks. Particularly because we can change passwords, but biometrics cannot be changed, hackers keep at it and will keep succeeding in finding vulnerabilities on and off, and even one breach will put the concerned citizen at risk potentially through their lives.
Not only do hackers not have any kind of access to biometric info stored on your phone (that would be an Android vulnerability anyway, nothing to do with NPCI), you can absolutely change your biometrics on your phone. Just rescan your finger and it will generate a completely new key, even if it's the same finger.
 
  • Haha
Reactions: Neotheone and n1r0
There are legit scammer who will convience you/your family member to use biometic to do these financial fraud.
Leave alone scammers, there are even cases where family members themselves used finger-print of those in deep sleep for their own benefit.
Sometimes, people may be under medicated sleep, even under substance induced sleep, etc.
Biometrics should be considered as unchangeable user-id, not as password.
 
My Uncle is involved in a land dispute within family and allegations is he was drugged (heavy alcohol consumption) and taken the thumb impression. It's India and everything can be molded.
 
  • Sad
Reactions: TEUser2K1
And there's no compromise in privacy. Android doesn't allow apps to access data from the fingerprint sensor. All authentication goes through Android core system APIs.
Ever heard of zero day vulnerabilities & backdoors?

Not only do hackers not have any kind of access to biometric info stored on your phone (that would be an Android vulnerability anyway, nothing to do with NPCI), you can absolutely change your biometrics on your phone. Just rescan your finger and it will generate a completely new key, even if it's the same finger.
That's like saying NHAI is not at fault because they made the best highway with min 150kmph speed limit knowing that majority travels in cars with 2 star out of 5 star international safety rating. Also, high resolution fingerprints were easily available for anyone to download from land registry websites of many states which were used by fraudsters so much that some states have now started masking fingerprints & aadhaar numbers on uploaded scanned deeds but not all states.

But most importantly, what is the point of this nonsense of using biometrics for upi txns. Let's make it clear with some examples for before & after this upi biometric nonsense:

Scenario 1: Person is traveling with mobile & get robbed in a lonely place. Robbers beat the man up to force him to unlock his mobile & do the transfers by entering his upi pin.
New Scenario 1: Person is traveling with mobile & get robbed in a lonely place. Robbers beat the man a bit & place his finger on mobile to do the upi txns.

Scenario 2: Person fall victim to a phishing call by someone posing as cbi officer & do the upi txn by entering upi pin.
New scenario 2: Person fall victim to a phishing call by someone posing as cbi officer & do the upi txn by placing their finger on mobile.

Scenario 3: Person forgot their upi pin so use reset & spend 2 min searching for their debit card details to reset the upi pin.
New Scenario 3: No need to remember any upi pin so person saved 2 mins.

So basically for saving 2 mins NPCI wants to put a person's biometrics at risk which can never be changed unlike upi pin. If this is not nonsense then I don't know what is.
 
  • Like
Reactions: Neotheone
Ever heard of zero day vulnerabilities & backdoors?

That's like saying NHAI is not at fault because they made the best highway with min 150kmph speed limit knowing that majority travels in cars with 2 star out of 5 star international safety rating.
These are just arguments without context. Any of these methods can compromise current methods of authentication as well. It's no different for Fingerprints Vs PIN.
So basically for saving 2 mins NPCI wants to put a person's biometrics at risk which can never be changed unlike upi pin. If this is not nonsense then I don't know what is.
Scenario 4: present: person is lurking behind you observing you enter your PIN. After you're done, the swipe your phone from you and carry out UPI transaction from your phone.
Future: they can't.
 
  • Haha
Reactions: Neotheone
Scenario 4: present: person is lurking behind you observing you enter your PIN. After you're done, the swipe your phone from you and carry out UPI transaction from your phone.
Future: they can't.
So you can detect if somebody holds your finger in sleep but can't detect when somebody lurking behind you observed you entering your upi pin & then swapped your phone. Don't give arguments just for the sake of it. Give me one news article from any reputed newspaper mentioning such a crime. Instead of simply admitting you liked the biometrics because that saves you 2 min of time resetting upi pin or that you don't care about your biometrics at all, you are instead giving useless arguments to show using biometrics for upi is a good decision by NPCI. There is no shame in admitting you prefer convenience over privacy/security. Before you say anything else about biometrics in android phones being more secure give me one example/link of any reputed privacy activist/EFP article advocating biometrics else don't bother. Biometrics are neither more safe nor more secure in any typical environment encountered by typical ppl & comes with much more privacy risk than any traditional authentication method deploying 2FA using pin/password/otp/totp/device binding etc.
 
Oh, I'm the one giving arguments for the sake of it when your own arguments had nothing to do with the topic and were talking about random security vulnerabilities.

Do you even know that fingerprint scanners have capacitive surface to reject artificial fingers and dead fingers? Or that face scanners only work with your eyes open?

I think people lurking behind you to look at your password and getting phone pick pocketed is far more common than someone unlocking your phone using your finger when you're asleep. I don't know how the latter scenario sounds more plausible to you.
 
Oh, I'm the one giving arguments for the sake of it when your own arguments had nothing to do with the topic and were talking about random security vulnerabilities.

Do you even know that fingerprint scanners have capacitive surface to reject artificial fingers and dead fingers? Or that face scanners only work with your eyes open?

I think people lurking behind you to look at your password and getting phone pick pocketed is far more common than someone unlocking your phone using your finger when you're asleep. I don't know how the latter scenario sounds more plausible to you.
Random security vulnerabilities?

I think people lurking behind you to look at your password and getting phone pick pocketed is far more common
I have been reading newspaper daily since before upi was created & till now I have never even once read a news where a victim claimed someone stole their mobile & then transferred money using their upi pin though I often read about ppl claiming to click on some link & losing lakhs of rupees/sim swap frauds/falling victim to phishing calls. Think logically too. If someone lost their mobile in a public place then first thought of victim is to call their bank/telecom operator to report the theft & block everything & first thought of the thief is to switch off the mobile & throw away the sim card unless it is some mission impossible like scenario where thief is actually someone specifically targeting you for hours/days to first get your upi pin & then get your phone but you know as well that such scenarios don't happen in real life with typical ppl.

Btw, you didn't respond to this so this will be my last reply to you here.
Before you say anything else about biometrics in android phones being more secure give me one example/link of any reputed privacy activist/EFP article advocating biometrics else don't bother.
 
  • Like
Reactions: Neotheone