iOS/Android finger print - authentication server side

Question

I'm trying to wrap my head around how to implement iOS/Android finger print to authenticate a user.

From what I understand, triggering the finger print dialog is just an additional security?

So a typical on boarding process would be something like this:

User downloads the app.
User registers/signs in, and get a token back from the server.
On certain actions where we need additional security, trigger finger print dialog.
If fingerprint is OK - do actual REST call with token from step 2.

Am I missing something?

yes.. you are almost correct. Because the fingerprint feature by either devices doesn't let us see or read the "fingerprint" rather just compares the given "fingerprint" with the stored "fingerprint" and returns result with matched or not. — Sandeep R, Jul 06 '17 at 11:49
Thanks for answering, @sandeep. Does this mean that there' no token or something similar returned from the finger print verification that needs to be sent to the server? — fortysixandtwo, Jul 06 '17 at 12:07
No It doesn't provide any token, If it did, it would defeat the purpose of a fingerprint security. As you said in your post. Its just an additional security. but you can use that additional security in your app, as this user explained in his answer. https://stackoverflow.com/a/37115194/2026280 — Sandeep R, Jul 06 '17 at 12:13

score 3 · Accepted Answer · answered Jul 06 '17 at 12:19

3

Please read one of these blogs (there's many others):

Process have to be:

User must have already register fingerprint and choose unlock device with fingerprint in Android Settings app.
User downloads the app.
User registers/signs in with fingerprint check
App generate a local token and store in secure (secure element) keystore on device
this local app token is sent to server
On certain actions where we need additional security, trigger finger print dialog.
If fingerprint is OK, app ahs access to secure key store to get token. App can use this token to do REST call from step 4.

answered Jul 06 '17 at 12:19

LaurentY

How will server authenticate this token? If we cannot do any authentication then how can we do server side authentication? – Fenil Apr 16 '18 at 06:56
How do we generate local token from fingerprint's crypto object? – user2425109 Nov 14 '18 at 13:38
What if I downloads the app and register from phone-A now i tried to sign-in from phone-B, The token will be the same...? – Yogesh Patel Jan 24 '20 at 15:14

1 Answers1