Pincode trigger

[PeterEikelboom]

Finding: The user is asked to enter his/her PIN code several times during long-term use of Yivi.

Solution: Do not request a PIN as long as the user is actively using Yivi. Only ask for the PIN code if Yivi is no longer actively used for x minutes (just like mobile banking).

[DibranMulder]

@kamphuisem and @sietseringers can you please investigate if this is possible and what the security implications are. I mean what do we do when an app has been running in the background for quite some time. Are there any best practices in the field from banking apps for instance?

[sietseringers]

When you enter your PIN in the Yivi app, the Yivi app exchanges that for a JWT at the keyshare server with which you can perform sessions for some minutes - 5 minutes, I believe. It is possible to extend this time period.

I'm not sure this is desirable from a security perspective, however. The PIN serves as the second factor in two-factor authentication, and if you loosen this up too much then you could effectively downgrade to single factor authentication. That would mean you won't obtain eIDAS High or even eIDAS substantial LoA levels. Therefore, I would argue to not loosen this.

As to best practices from banking apps:

• I generally don't find those a suitable comparison, because the relevant legislation is very different: if we don't get this right then we won't obtain eIDAS high, whereas a bank has to balance easy UX in their apps with money that they lose through fraud if they make their authentication mechanisms too loose.
• Nevertheless, when I transfer money in my bank account, then I am used to having to enter my PIN even if I recently already entered it (for example, to open the bank app).

You might also compare with the NL Wallet, which asks the user for their PIN every single disclosure or issuance session, instead of having a PIN that remains "valid" for x minutes.