iOS & Android Biometrics Login

2020, Jun 30    

This article provides a summary for the biometric login flow on Android and iOS, including both of the login flow with user faceID and fingerprint. The API documents for iOS and Android can be referred from iOS LocalAuthentication and Android BiometricsManager. There are nicely documented tutorials for iOS and Android as well.

Login Flow

For both iOS and Android, the user’s fingerprint and face token information are strictly stored in devcies’ local secure elements and will not be uploaded or exported to apple’s, google’s or any other party’s services. Hence for everytime the user logged in into a new device, the app need to enable the biometic collection on that specific device by passing the biometric verification. The UI is also provided by the system, hence the faceID and fingerprint verification UI is always unified across all apps.

The biometric login flow can be summarized as the flow diagram below:

system-architecture-drafts

Core APIs

Take iOS side system API as an example.

Check Availabilty

/**
error code definitions: https://developer.apple.com/documentation/localauthentication/laerror/code
*/
var error: NSError?
if context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error) {
    // synchronous notify that the device support biometrics login 
    // and user also provided his/her own information.
}

Verification

let reason = "Log in to your account"
context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason ) { success, error in

    if success {

        // Move to the main thread because a state update triggers UI changes.
        DispatchQueue.main.async { [unowned self] in
            self.state = .loggedin
        }

    } else {
        print(error?.localizedDescription ?? "Failed to authenticate")

        // Fall back to a asking for username and password.
        // ...
    }
}

Potential Challenges

  • Since the native biometric login components won’t produce any user related information, hence the backend end database won’t be able to track and records the user’s biometrics data. The biometric login flow needs to be activated and deactivated on each new device which the user logged in.
  • Once a device passesd biometric verification, the server need to provide a specific way to create session. The information needed for creating the session needs to be able to recognise the specific device which previously the user logged in before and turned on the biometric data hence to prevent malicious user creating session from other devices.

A possible session creation flow can involve a TOTP generated by a OTP seed which is binded to the device and user:

TOC