Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using Touch ID or Face ID without storing user biometrics

Tags:

I apologize in advance if this topic does not fit Stackoverflow (I ask moderators to move it where appropriate). Thanks.

I was wondering how apps use Touch ID or Face ID to verify identity without storing the biometric data into their servers.

Authentication without Touch/Face ID (oversimplifying here)

  1. User logs into their banking app.
  2. Username and password sent to server to be verified.
  3. Username and password is checked against information stored in bank server.
  4. On valid username and password combination, a token is issued to be used for the current session.

After user allows the app to use their Touch/Face ID...

Authentication with Touch/Face ID

  1. User logs into their banking app.
  2. They verify with their Touch/Face ID

... what happens here? What is sent to the server to be verified?

I read that Biometric data is stored in a secure chip on the phone and this is not stored on any server.

For iOS, apart from the package for Touch/Face ID, we also need to work with keychain access. Why? What's stored here?

Thank you.

like image 290
publicknowledge Avatar asked Dec 13 '18 06:12

publicknowledge


2 Answers

The typical flow is:

First login:

  • User authenticates with username/password
  • If authentication is successful they are asked if they want to use TouchID/FaceID
  • If they do, the username and password are stored in the keychain, with a requirement of biometric authentication to access the data

On subsequent logins:

  • App attempts to retrieve stored username/password triggering biometric authentication
  • App uses stored username & password to authenticate to the server.
like image 146
Paulw11 Avatar answered Oct 05 '22 07:10

Paulw11


Its very similar to how it would work with normal password its just a secondary line of security.

For example your device is logged in to your Itunes account which is connected to your banking account . In order to make an action the device will ask for authentication at the form of Touch Id/Face Id once there is a match(using the secure chip) the device will send the request to the apple which will send it to the bank. Yes it can be fooled since it's happening client side but you still need to log into your Itunes account somehow so it's a secondary line of security.

To make it clear you don't actually log into the account with Touch ID or Face ID you log with a password that your device remembers. in order to get to passwords it remembers you need Touch ID or Face ID.

like image 38
toto Avatar answered Oct 05 '22 08:10

toto