Biometrics and Token Storage#

One of the most significant yet underappreciated advancements in mobile technology is biometric authentication and the corresponding specialized device hardware for storing sensitive data directly on a device.

Historically, storing secrets or sensitive data on the client was a no-go. But on mobile, there is often no other option! Users need to be able to quickly pick an app back up where it left off, log in while offline, and have a seamless experience regardless of whether the operating system suspended or closed the app. These demands pushed mobile vendors like Apple and Google to develop powerful new device features that enable storing highly sensitive tokens (auth tokens, encryption keys, etc) and combine them with groundbreaking new authentication hardware like Face ID and Touch ID.

With great power comes great responsibility, and unfortunately biometric authentication along with secure token storage is not easy to get right. Read our post on Common Biometric Authentication Security Mistakes to learn more about the pitfalls in implementing biometric authentication and token storage.

How it works#

Biometric authentication works in tandem with your existing authentication flow, such as one built with Auth Connect, and handles the challenging problem of storing a user's authentication token (such as a JWT) that must be stored securely on the device and only accessible by the actual user associated with that session.

It sounds simpler than it is. A properly implemented biometric authentication flow will use low-level security APIs and hardware available on modern mobile devices to store a token in specialized device hardware and associate it with a biometric identity. This process will support a wide range of available biometric hardware and APIs, such as fingerprint scanners, face scanners, and more. This flow will then handle any changes to user enrollment in device-level biometric settings as well as monitor for disabling of biometric settings device-wide. In these cases the biometric flow will then protect against a malicious user disabling or changing biometrics settings in order to access data in an app meant for a different user.

In our opinion

Biometric authentication is something that the Ionic team does almost better than anyone, and is one area where I have no other alternative to suggest except to strongly recommend using our Identity Vault solution. There are a lot of open source libraries and plugins for biometric authentication in the community, and many ways to drop down to native code to add these features, but I would caution teams against using them if security and maintenance is a priority. These APIs are incredibly difficult to use and maintain, and supporting the incredibly fragmented device market for different biometric hardware is nothing short of a nightmare. But we do it at Ionic and we do it very well.

The vast majority of community plugins simply call into the Biometric APIs on iOS or Android to prompt the user for a scan, instead of using the low-level security APIs that have biometrics support (Keychain, for example). It's simply not sufficient to prompt the user for a face or finger scan and then use the successful scan result to then load auth tokens (such as JWTs) or other sensitive values (like encryption keys) from a typical storage engine (SQLite/IndexedDB/etc).

Instead, Ionic's Identity Vault product implements these auth flows in the correct, most secure way. Instead of using the simple Biometric APIs, Identity Vault uses the low-level security APIs such as Keychain on iOS and KeyStore on Android, which themselves provide hooks into biometric auth flows. The difference is Keychain uses highly specialized secure hardware for storing sensitive values directly on the device, and supports tangling these values with the actual user who's biometric identity has been fingerprinted and stored. This means it is not possible for any other user except the actual user whose biometric identity was synced to access those values.

Additionally, Identity Vault handles all the messy logic around detecting when a user has unenrolled their biometric identity from the device, or when the device's security or biometric hardware settings have been changed. This protects against situations where a malicious actor disables biometrics or adds their own identity and uses that to access the sensitive data stored in your app.

Finally, biometric hardware has gone through several generations by this point, and device vendors have built and implemented their own proprietary versions. This means supporting all the available hardware on the market, especially on Android, is a major challenge. And it's a moving target that has to be constantly updated. We do all this for you in Identity Vault so you don't have to think about it.

Devices are stolen, lost, or jailbroken all the time. Unfortunately, unless sensitive data such as user authentication tokens or encryption keys have been stored in the correct way, the security of those values could just be an illusion. There are many ways to implement biometric authentication and secure token storage, but essentially one single way to do it correctly. Take it from me, I built the first version of Identity Vault! Given the complexities involved, it's no wonder why Identity Vault is our most complex product from an implementation standpoint, but also one of our most popular and beloved from a customer standpoint.

Max Lynch
Max LynchCo-founder & CEO, Ionic

Resources#