[lkoolma]

I agree that just using a credit card number and the expiry date is definitely bad, but I am not aware of any authentication solution that fully solves this problem (but please enlighten me if there is). We know passwords have many problems. Two factor authentication with SMS has problems with SIM hijacks. Physical tokens (e.g. RSA tokens) have problems when users lose them.

Feel free to enlighten me if someone has a better solution for all of this.

[pjc50]

Ironically, both iOS and Android have payment solutions built in, and on Apple devices this uses the secure enclave. Fingerprinting a phone is a vastly inferior solution to that.

[kristianc]

Which is useful if you happen to live in an Apple Pay / Android Pay supported country with contactless payment widely rolled out.

However, considering contactless was pretty rare even in the US until recently, it’s wise to have other solutions - and cover other use cases like online banking, loan applications etc etc.

[Nextgrid]

In the real world people seem to hold onto their cards pretty well - why not just use that? The majority of phones nowadays has an NFC chip capable of talking to contactless-enabled cards (most of them), and for those that don't, smartcard readers are pretty cheap (banks give out those calculator-like things for logins, why not add an USB port to them or Bluetooth capability for mobile devices).

2-factor authentication doesn't necessarily imply SMS. TOTP apps like Google Authenticator are reasonably secure.

Finally auth doesn't have to be 100% bulletproof (in fact, fingerprinting isn't either), it just has to solve the majority of problems. There's always someone that's going to be stupid enough to get compromised despite all the security solutions, but as long as the majority of users is safe then all is good.