You are right. Well nearly. Some sensitive information is definitely saved on the client side. But its not the full information, meaning that stealing it does not allow the hacker to spend it. (unlike private key)
[..]
Our solution makes the attacker mission much harder: Instead of needing to 1 piece of secret information, they now need to get 2 pieces of secret information stored in different places. Of course, once they get 1 piece then they need the other piece.
If an attacker gains full access to the mobile, he can spend the funds (just like with private keys stored on a mobile wallet).
Biometric data (e.g. fingerprint) is stored on the mobile. Together with the shared secret, that's all one needs to initiate a transaction using your server.
So.. in the end it again comes down to only the security of the mobile.
Its encrypted by the client and stored encrypted on the server. The server cannot access it.
But it IS stored online. And that's a huge problem already.
This is the same as claiming multiSig is irrelevant because when you steal one key, then its not multisig and you need just one extra key.
With multisig (and someone i know holding the second key out of a 2-of-2 multisig) an attacker can not simply steal my mobile with one of the keys and initiate a transaction by claiming he is the real person.
Your server (i.e. with fingerprint) does exactly this.. I steal a mobile, initiate a transaction using the shared secret and the fingerprint data on the mobile.. and your server happily signs it.