Most apps utilizing authentication need to provide the user with ways to persist user sessions, or store sensitive values such as encryption keys, all while enabling automatic login using biometrics.

There is one very common way that developers first try to implement this: show the fingerprint or face id prompt, and once the user passes it, load the token or value from local storage or a sqlite database and use it.

Unfortunately, this is the approach that many apps and almost all of the community Cordova/Capacitor plugins take, and it’s not fully secure.

Let’s dig into some common mistakes implementing biometric auth and storing sensitive values, and then learn how proper biometric authentication and secure, encrypted value storage should be implemented.

Mistake #1: Just showing a biometric prompt

The APIs for using biometric hardware on iOS and Android are easy to use at the surface level. Because of this, many developers simply show the biometric dialog (such as a fingerprint or face scan), wait for the success value, and then use that as proof of user presence.

The problem with this is that biometric hardware can be bypassed especially when on a jailbroken device. That means a successful result doesn’t tell you that the real user is actually there. If bypassed, your app may happily load and use sensitive data meant for a different user.

A proper biometric auth flow will protect sensitive data with the actual result of a biometric scan, making it impossible to fake it.

#all #perspectives #authentication #biometrics #mobile #mobile app