Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using Touch ID or Face ID without storing user biometrics

Tags:

I apologize in advance if this topic does not fit Stackoverflow (I ask moderators to move it where appropriate). Thanks.

I was wondering how apps use Touch ID or Face ID to verify identity without storing the biometric data into their servers.

Authentication without Touch/Face ID (oversimplifying here)

  1. User logs into their banking app.
  2. Username and password sent to server to be verified.
  3. Username and password is checked against information stored in bank server.
  4. On valid username and password combination, a token is issued to be used for the current session.

After user allows the app to use their Touch/Face ID...

Authentication with Touch/Face ID

  1. User logs into their banking app.
  2. They verify with their Touch/Face ID

... what happens here? What is sent to the server to be verified?

I read that Biometric data is stored in a secure chip on the phone and this is not stored on any server.

For iOS, apart from the package for Touch/Face ID, we also need to work with keychain access. Why? What's stored here?

Thank you.

like image 290
publicknowledge Avatar asked Dec 13 '18 06:12

publicknowledge

2 Answers

The typical flow is:

First login:

  • User authenticates with username/password
  • If authentication is successful they are asked if they want to use TouchID/FaceID
  • If they do, the username and password are stored in the keychain, with a requirement of biometric authentication to access the data

On subsequent logins:

  • App attempts to retrieve stored username/password triggering biometric authentication
  • App uses stored username & password to authenticate to the server.
like image 146
Paulw11 Avatar answered Oct 05 '22 07:10

Paulw11

Its very similar to how it would work with normal password its just a secondary line of security.

For example your device is logged in to your Itunes account which is connected to your banking account . In order to make an action the device will ask for authentication at the form of Touch Id/Face Id once there is a match(using the secure chip) the device will send the request to the apple which will send it to the bank. Yes it can be fooled since it's happening client side but you still need to log into your Itunes account somehow so it's a secondary line of security.

To make it clear you don't actually log into the account with Touch ID or Face ID you log with a password that your device remembers. in order to get to passwords it remembers you need Touch ID or Face ID.

like image 38
toto Avatar answered Oct 05 '22 08:10

toto
Sign in to Comment

Related questions

Is there a simpler way to bind the entire match when using multiple matches?
Merge two dataframes with different indices while preserving the main dataframe's index using a one-line code
RecyclerView item focus on Android TV
GitLab - reference file line/lines range with snippet in issue
IdentityServer4: get access token from Azure AD
Can I make Global Query Filters in Entity Framework 6? by OnModelCreating?
computing gradients for every individual sample in a batch in PyTorch
Many pytest fixtures vs. one large "container" fixture
Can't add android library to JCenter
flutter local notification: what's the channel id?
What is the difference between "(.....);" and "{......}" in react?
Group flat array to multidimensional array by key, If we don't know how many levels are there. PHP

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!