Investigate if new requests include a notification that confirms the device user’s intent to biometrically authenticate.
Bug Details
In the event that a bad actor gains access to a user's credentials and attempts to login as the user, it is possible for the user to accidentally approve of the authentication request in the iValt app because the app immediately tries to use the users' phone biometrics to authenticate. To mitigate this scenario, the app should first ask the user if they want to approve or deny the request before trying to authenticate with biometrics.
Steps to replicate
Tap on any biometric request notification from the iValt app to open the app and see that it tries to authenticate without any user input.
Bug Overview
Investigate if new requests include a notification that confirms the device user’s intent to biometrically authenticate.
Bug Details
In the event that a bad actor gains access to a user's credentials and attempts to login as the user, it is possible for the user to accidentally approve of the authentication request in the iValt app because the app immediately tries to use the users' phone biometrics to authenticate. To mitigate this scenario, the app should first ask the user if they want to approve or deny the request before trying to authenticate with biometrics.
Steps to replicate
Tap on any biometric request notification from the iValt app to open the app and see that it tries to authenticate without any user input.