I apologize in advance if this topic does not fit Stackoverflow (I ask moderators to move it where appropriate). Thanks.
I was wondering how apps use Touch ID or Face ID to verify identity without storing the biometric data into their servers.
Authentication without Touch/Face ID (oversimplifying here)
After user allows the app to use their Touch/Face ID...
Authentication with Touch/Face ID
... what happens here? What is sent to the server to be verified?
I read that Biometric data is stored in a secure chip on the phone and this is not stored on any server.
For iOS, apart from the package for Touch/Face ID, we also need to work with keychain access. Why? What's stored here?
Thank you.
The typical flow is:
First login:
On subsequent logins:
Its very similar to how it would work with normal password its just a secondary line of security.
For example your device is logged in to your Itunes account which is connected to your banking account . In order to make an action the device will ask for authentication at the form of Touch Id/Face Id once there is a match(using the secure chip) the device will send the request to the apple which will send it to the bank. Yes it can be fooled since it's happening client side but you still need to log into your Itunes account somehow so it's a secondary line of security.
To make it clear you don't actually log into the account with Touch ID or Face ID you log with a password that your device remembers. in order to get to passwords it remembers you need Touch ID or Face ID.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With