7

I apologize in advance if this topic does not fit Stackoverflow (I ask moderators to move it where appropriate). Thanks.

I was wondering how apps use Touch ID or Face ID to verify identity without storing the biometric data into their servers.

Authentication without Touch/Face ID (oversimplifying here)

  1. User logs into their banking app.
  2. Username and password sent to server to be verified.
  3. Username and password is checked against information stored in bank server.
  4. On valid username and password combination, a token is issued to be used for the current session.

After user allows the app to use their Touch/Face ID...

Authentication with Touch/Face ID

  1. User logs into their banking app.
  2. They verify with their Touch/Face ID

... what happens here? What is sent to the server to be verified?

I read that Biometric data is stored in a secure chip on the phone and this is not stored on any server.

For iOS, apart from the package for Touch/Face ID, we also need to work with keychain access. Why? What's stored here?

Thank you.

publicknowledge
  • 634
  • 1
  • 9
  • 17

2 Answers2

7

The typical flow is:

First login:

  • User authenticates with username/password
  • If authentication is successful they are asked if they want to use TouchID/FaceID
  • If they do, the username and password are stored in the keychain, with a requirement of biometric authentication to access the data

On subsequent logins:

  • App attempts to retrieve stored username/password triggering biometric authentication
  • App uses stored username & password to authenticate to the server.
Paulw11
  • 108,386
  • 14
  • 159
  • 186
  • This reflects our actual experience after doing multiple tests and implementing it in production. cheers! – publicknowledge Jan 02 '19 at 08:41
  • What if the primary login method is phone/otp instead of email/password? Where otp expires within few hours. – BillNathan Feb 25 '21 at 12:34
  • 1
    Then you could store the resulting token in the keychain with a biometric requirement, however this is only practical if the token has a long validity. If you can't save a persistent session token then you will need the user to authenticate each time and biometric authentication is not a valid use case. – Paulw11 Feb 25 '21 at 12:48
  • Is it actually safe to store username and password? how do you store the password? @Paulw11 – lordvidex Sep 04 '22 at 20:31
  • 1
    That is for you to decide. You would store the password in the device keychain. This is encrypted. You can also store a long lived session token rather than the actual username/password if your system uses one. – Paulw11 Sep 04 '22 at 20:39
1

Its very similar to how it would work with normal password its just a secondary line of security.

For example your device is logged in to your Itunes account which is connected to your banking account . In order to make an action the device will ask for authentication at the form of Touch Id/Face Id once there is a match(using the secure chip) the device will send the request to the apple which will send it to the bank. Yes it can be fooled since it's happening client side but you still need to log into your Itunes account somehow so it's a secondary line of security.

To make it clear you don't actually log into the account with Touch ID or Face ID you log with a password that your device remembers. in order to get to passwords it remembers you need Touch ID or Face ID.

toto
  • 45
  • 1
  • 7
  • It is nothing to do with your iTunes account and the request isn't sent to Apple. You can chose to use iCloud keychain which synchronises certain keychain entries across your devices, but this is not compulsory and in many cases, such as a banking app, they would explicitly exclude those keychain entries from iCloud Keychain. – Paulw11 Dec 13 '18 at 07:07
  • Im talking about a case your payment method (credit card) is connected to your iTunes account since in the question he gave an example of bank but it's certainly not bound to your itunes account only. just an example – toto Dec 13 '18 at 07:11