Just Thinking out loud …
I chanced upon this occurrence a few weeks ago. This may be a silly question but I haven’t found any answer to it (or maybe the crowd I mix with find it an impossibility).
Most of us have our mobile apps on the phone. We unlock our phone, we open the app, we type our credentials, we check our balance - we transfer or buy … blah blah blah …
What if our phone is lost, or even stolen in a crowded place where a near by-stander has overlooked to see our zig-zag phone unlock password while we were too busy!!
Now he steals your phone and unlocks it. He opens a banking app, he sees the user-name saved (for frequent use) but the password field is blank !! He immediately clicks on “forgot password” → a temporary password is sent to him immediately on the same phone via sms (with all the caution in the world stating - “please don’t share”).
Now he has a temporary password … he can log in and do whatever he wants - even change the password to one he wants!! In case the owner hasn’t realized that his phone has been stolen yet, lots of things can be done by then.
This is quite a plausible scenario. How does a neo-bank build additional guard-rails for these types of situations?