[abritishguy]

[I work at Mondo]

>at the expense customer experience and true security

I always call this "lazy security"[1] and it's what you get when you hire some security professionals to "make it secure". It's a mistake to separate security from product design, the two should inform each other to come up with a compelling product that remains secure. Separating them misaligns interests, the security team will push for a change that improves security irrespective of any impact it may have on user experience.

I think Touch ID is a great example of how a novel solution can improve both security and usability.

At Mondo we are committed to investing time and energy into finding these solutions, security at the expense of user experience is a last resort.

[1]https://medium.com/@danielchatfield/lazy-security-32acc31fbd...

[consp]

I have to comment on touch ID: Biometrics are in no way an authoritative option for the simple fact that they cannot be replaced. You can identify the user with it, sure. But you should never use them to authorize anything because if stolen or compromised, the user cannot change it. While you might say the scanner + data storage is secure, this is just temporal and can change over time. As revocation of the biometrics is identical to revoking the user, this is to be avoided for authorizing transactions.

You can, however, identify the user with something like biometrics, and afterwards request an authorization of the transaction with something else (possession of key (good), +pin (better), or easiest a simple 'yes'(less than good)).