Prashant Nadarajan's Tech/Dev Blog

How Popular Financial Apps Are Failing Your Security

Prashant Nadarajan — Mon, 06 Jan 2025 03:51:35 GMT

As digital financial platforms become increasingly popular, users rely on apps like Coinbase, Venmo, Cash App, and Credit Karma to manage their finances, transfer money, and access sensitive personal information. With the rise in cyber threats, one would assume these apps prioritize robust security measures to safeguard their users. However, after examining the default security configurations of these widely-used apps as of January 2025, I discovered a concerning trend: their design choices actively weaken user security.

The Problem: Weak Default Security Choices

These financial apps often promote the use of biometric authentication, such as Face ID or Touch ID, as a convenient and secure way to access their services. However, the implementation of biometric security in these apps is flawed. Specifically:

Mandatory In-App Passcodes:
- To enable Face ID or Touch ID within these apps, users are required to set up an additional, app-specific passcode—usually a simple 4-digit PIN.
- This passcode is mandatory, and users cannot enable biometric authentication without first creating it.
- Even after biometric authentication is set up, the 4-digit PIN remains active and cannot be disabled.
Biometric Authentication Bypass:
- Once Face ID or Touch ID is enabled, users might assume their account is securely locked behind the biometric layer.
- However, if the biometric prompt is dismissed or malfunctions, the app falls back to the in-app passcode instead of the user's primary account credentials (username and password).
Weakness of 4-Digit PINs:
- A 4-digit PIN offers minimal security. With only 10,000 possible combinations, such PINs are far weaker than even the default security measures offered by iOS, which now supports 6-digit or longer custom numeric or alphanumeric passcodes.
- This creates a significant vulnerability, as it provides a relatively simple way for an attacker to gain access to the app—especially if the device is lost or stolen.

Why Is This a Problem?

The reliance on an app-specific passcode undermines the security benefits of biometric authentication. Here’s why this design choice is problematic:

Redundant and Arbitrary Security Layers:
- The introduction of a mandatory in-app passcode creates an additional security layer that users must remember, manage, and protect. This is unnecessary when the primary account already has a robust username and password combination.
Increased Attack Surface:
- By falling back to a simple 4-digit PIN instead of the account’s username and password, the app effectively lowers its security standards.
- For example, an attacker who gains physical access to a device only needs to bypass a weak 4-digit PIN to access sensitive financial data.
User Experience vs. Security Trade-Offs:
- While the intention behind these design choices might be to enhance user convenience, they come at the cost of reduced security.
- Users may not realize the implications of enabling biometric authentication without understanding how the fallback mechanisms work.

A Better Approach

There’s no valid reason for these apps to require an additional in-app passcode to use biometric authentication. A more secure and user-friendly implementation would include the following changes:

Fallback to Primary Credentials:
- If biometric authentication fails or is dismissed, the app should fall back to the user’s primary account credentials (username and password) rather than a weaker in-app passcode.
Eliminate Mandatory In-App Passcodes:
- Allow users to enable Face ID or Touch ID without requiring a separate app-specific passcode.
- If an app-specific passcode is deemed necessary for certain features, it should support stronger options, such as 6-digit or alphanumeric passcodes, and remain optional for users who prefer to rely solely on biometric authentication.
Educate Users About Security:
- Apps should provide clear explanations of their security mechanisms, including how biometric authentication works and what happens if it fails.
- Users should be empowered to make informed decisions about their security settings without being forced into suboptimal configurations.
Learn From Better Implementations:
- The Schwab, Fidelity, Chase, and Citi apps serve as excellent examples of secure biometric implementations. These apps do not require a custom in-app PIN and correctly fall back to the service’s username/password if biometric authentication fails.

Protecting Yourself Until Change Happens

Until these apps change their defaults, users can protect themselves by taking proactive measures. For instance, iOS 18’s Lock App feature can add an extra layer of protection to these apps. Users should pair this feature with a custom-length numeric or alphanumeric iOS passcode for stronger security.

The Broader Implications

The security flaws highlighted here are not just theoretical; they have real-world implications for the safety of users’ financial and personal data. As financial apps continue to grow in popularity, they become increasingly attractive targets for attackers. By prioritizing convenience over security, these apps put their users at unnecessary risk.

Developers of financial platforms must recognize that user trust is paramount. Strong security measures are not optional; they are a fundamental requirement for any app handling sensitive financial data. It is time for these apps to revisit their security architectures and adopt practices that truly protect their users.

Final Thoughts

As users, we must remain vigilant and critical of the tools we use to manage our finances. While biometric authentication is a powerful and convenient tool, its implementation must be done correctly to deliver on its promise of enhanced security. By demanding better security practices from app developers, we can push for a safer digital ecosystem for everyone.

Update (February 13, 2025)

Venmo has now fixed this flaw within their iOS app. As of February 13, users can enable Face ID independently of the in-app passcode. If Face ID fails, the app will now prompt users to sign out instead of falling back to the weaker in-app PIN. This is a welcome improvement, and hopefully, other financial apps will follow suit to enhance security.

Are Passwordless Logins with Magic Links Appropriate for SaaS Apps?

Prashant Nadarajan — Fri, 03 Jan 2025 02:00:08 GMT

In recent years, passwordless authentication methods have gained significant traction. This topic has been on my mind since reading We Don’t Want Your Password, which explores the growing trend of passwordless systems and their implications. Among these methods, magic links—login links sent to a user's email—have emerged as a popular choice for many SaaS applications. Hashnode (this blog’s host), for example, is one such SaaS platform that relies on magic link-based authentication, foregoing the traditional username/password approach. Proponents tout magic links as secure, user-friendly, and modern. However, there are critical user experience (UX) and security considerations that SaaS providers must evaluate before committing solely to magic link-based authentication.

While magic links may work well for certain use cases, relying on them exclusively may not be appropriate for many SaaS applications. Here’s a detailed exploration of their benefits and limitations, and why alternatives such as passkeys or traditional username-password combinations (augmented by password managers) might offer a more balanced approach.

The Benefits of Magic Links

Simplicity for the User: Magic links eliminate the need to remember passwords. Instead, users simply provide their email address and receive a one-time link to log in.
Improved Security Over Weak Passwords: Since magic links bypass the traditional username-password paradigm, they also bypass issues like users creating weak or reused passwords—a common vulnerability in traditional authentication methods.
No Password Management for SaaS Providers: Developers don’t need to store or hash passwords, reducing the attack surface for potential breaches. Compromised password databases are a common target for attackers, so avoiding them altogether is a security win.
Ease of Implementation: For SaaS providers, magic links can be relatively simple to implement, requiring integration with an email service and session management system.

The Drawbacks of Magic Links

1. Disrupted User Experience (Context Switching)

Logging in with magic links introduces an unavoidable context switch for the user. To authenticate, the user must:

Leave the SaaS application.
Open their email application.
Locate the email with the magic link.
Click the link, which redirects them back to the SaaS application.

This process creates friction, especially for users who access their email on a different device or who manage multiple email accounts. Contrast this with entering a password—a single, uninterrupted flow within the app.

2. Dependency on Email Reliability

Magic links rely entirely on the email infrastructure. However, email delivery can be delayed due to server issues, spam filtering, or other factors. These delays can frustrate users, particularly when they’re in a time-sensitive situation. Additionally, users who lack immediate access to their email (e.g., due to connectivity issues) are completely blocked from logging in.

3. Password Managers Have Improved Traditional Authentication

Password managers are now widely available and integrated across devices, browsers, and operating systems. These tools allow users to securely store and autofill strong, unique passwords, effectively mitigating the usability and security concerns of traditional password-based authentication. However, it’s important to note that password managers are still not widely adopted by the general public, which may limit their effectiveness as a universal solution. By solely using magic links, SaaS providers fail to leverage these advancements.

4. Passkeys: A More User-Friendly Passwordless Alternative

Passkeys, which leverage public key cryptography and are implemented using standards like WebAuthn, provide a seamless and secure login experience without requiring passwords. Unlike magic links, passkeys don’t require the user to leave the application to authenticate. Instead, users can log in with biometrics or device-based authentication mechanisms that are fast, reliable, and increasingly supported across modern devices and browsers. However, it’s important to note that current implementations of passkeys, such as those by Apple, Google, and 1Password, may be overly confusing for the average user, potentially limiting their widespread adoption.

5. Potential Security Risks of Magic Links

Email Account Security: The security of magic links is entirely dependent on the user’s email account. If an attacker gains access to the user’s email, they can easily exploit magic links to access the SaaS application.
Phishing Vulnerabilities: Since magic links often resemble legitimate emails, they can be mimicked by attackers to conduct phishing campaigns. Users trained to expect magic link emails might inadvertently click on malicious links.

When Magic Links Might Be Appropriate

Magic links can be a good fit for specific scenarios, including:

Casual or Low-Stakes Applications: For apps where the risk of account compromise is minimal (e.g., newsletters or personal hobby apps), magic links might provide a simple and acceptable user experience.
Temporary or Guest Access: Magic links work well for users who only need occasional or one-time access to an application.

However, for SaaS apps handling sensitive data or requiring frequent logins (e.g., enterprise software, financial tools, or collaboration platforms), relying solely on magic links is unlikely to meet user expectations or security requirements.

A Balanced Approach to Authentication

Rather than exclusively implementing magic links, SaaS providers should consider offering a mix of authentication methods to cater to diverse user needs. Here are some recommendations:

Support Password Managers and Strong Passwords Allow users to create and manage passwords while encouraging (or even requiring) strong password policies. Make the experience seamless by ensuring compatibility with password managers.
Implement Passkeys Passkeys provide a modern, passwordless experience that’s both user-friendly and secure. By adopting passkeys, SaaS providers can future-proof their authentication systems.
Offer Magic Links as an Option Magic links can complement other authentication methods, providing an alternative for users who prefer them or as a backup mechanism for password recovery.
Enhance Email Security If using magic links, SaaS providers should implement safeguards such as:
- Short expiration times for links.
- Clear instructions to verify the legitimacy of the email.
- Encouraging users to enable multi-factor authentication (MFA) for their email accounts.

Conclusion

Passwordless authentication with magic links has its merits, but it is far from a one-size-fits-all solution. SaaS providers must weigh the trade-offs between simplicity, security, and user experience. In many cases, offering a range of authentication options—including passkeys and password manager-friendly systems—will better serve users while maintaining robust security.

As the landscape of authentication continues to evolve, SaaS providers should stay informed about emerging standards and user preferences. By prioritizing flexibility and security, they can deliver an authentication experience that meets the needs of all users.