Common Biometric Authentication Security Mistakes
Most apps utilizing authentication need to provide the user with ways to persist user sessions, or store sensitive values such as encryption keys, all while enabling automatic login using biometrics.
There is one very common way that developers first try to implement this: show the fingerprint or face id prompt, and once the user passes it, load the token or value from local storage or a sqlite database and use it.
Unfortunately, this is the approach that many apps and almost all of the community Cordova/Capacitor plugins take, and it’s not fully secure.
Let’s dig into some common mistakes implementing biometric auth and storing sensitive values, and then learn how proper biometric authentication and secure, encrypted value storage should be implemented.
Mistake #1: Just showing a biometric prompt
The APIs for using biometric hardware on iOS and Android are easy to use at the surface level. Because of this, many developers simply show the biometric dialog (such as a fingerprint or face scan), wait for the success value, and then use that as proof of user presence.
The problem with this is that biometric hardware can be bypassed especially when on a jailbroken device. That means a successful result doesn’t tell you that the real user is actually there. If bypassed, your app may happily load and use sensitive data meant for a different user.
A proper biometric auth flow will protect sensitive data with the actual result of a biometric scan, making it impossible to fake it.
Mistake #2: Not storing tokens and sensitive values encrypted at rest
Many teams store JWT tokens or other sensitive values in unencrypted storage locations, such as Local Storage, an unencrypted SQLite database, or other locations.
Unfortunately, this data can be accessible on jailbroken devices and through other possible exploits, meaning an attacker could find those sensitive values and steal user sessions, encryption keys, or more.
Any sensitive user data or session information needs to be stored using strong encryption.
Mistake #3: Not using Biometric APIs for Keychain/etc.
Teams using Keychain on iOS or Keystore on Android are a few steps ahead, but many are making another big mistake: not using Biometric configuration options for Keychain value storage, or not handling biometric enrollment or revocation so data protected for one user does not become exposed to another user.
This leaves data exposed to exploits and jailbroken devices where the sensitive keychain data could be accessed without a biometric prompt being passed.
Solution: Use Ionic Identity Vault
The low-level security APIs on iOS and Android are complex, but generally, the ability to associate actual biometric data with sensitive values in order to encrypt them in secure locations on the device is the gold standard for mobile security.
That means full usage of the Keychain/KeyStore APIs on iOS/Android, processing biometric enrollment/unenrollment events, using encryption features for databases like SQLite, and making sure sensitive values are combined with biometric data to make them impossible to access without the actual user being present.
Thankfully, teams don’t need to write the complex native code to implement this themselves, as there is a solution to this problem for teams requiring the highest level of security for their apps: Ionic Identity Vault. Identity Vault is a drop-in identity and value storage solution providing advanced biometric APIs for iOS and Android, including deep integration with security APIs and encryption routines.
Identity Vault manages the complexity of biometric authentication, user finger/face enrollment, device-level encryption at rest, and protecting sensitive data on screen.
Additionally, Identity Vault was designed to work with other Ionic enterprise native solutions, including Auth Connect and our encrypted SQLite solution for secure online and offline apps. When used with these solutions, Identity Vault will correctly and securely manage authentication tokens and encryption keys, respectively.
Get Started With Identity Vault Today
Identity Vault is in use at hundreds of enterprise companies and fast growing startups.
We would love to help your team create the most secure mobile app possible with Identity Vault. Interested? Get a demo!