Biometric authenticator
The Biometric authenticator allows users to perform biometric authentication by the use of TouchID or FaceID. The TouchID and FaceID functionalities are entirely handled by Apple's internal APIs and dedicated hardware - the TouchID and FaceID scanners and Secure Enclave are encapsulated within the A7 chip which assures that the mathematical representation of a scanned biometrics are not intercepted, eavesdropped or tampered with. The biggest gain of enabling Biometric Authentication is the improved end-user experience. Users are now enabled to access their sensitive data or authenticate transactions using TouchID fingerprint validation or FaceID face validation. The advantages are that they don't need to remember anything and it's faster.
- Availability
- Requirements
- Limitation
- Biometric authenticator registration
- Authenticate using biometric
- Biometric authenticator deregistration
- Jailbreak detection
Availability
A User can enable biometric authentication only if all the following requirements are met:
- The device has hardware support for TouchID or FaceID
- The device is not Jailbroken
- The user has already registered at least one fingerprint or his face
- The application configuration on the Token Server allows the use of fingerprint authentication
Requirements
In case of using Face ID you need to meet following requirements:
- Add
NSFaceIDUsageDescription
key into your applicationInfo.plist
and as a value describe usage description
Limitation
When authentication with fingerprint fails, due to exceeded attempts, the fingerprint refresh token is not removed from the keychain. This is caused by the bug in the Security.framework which returns the same error in case the fingerprint authentication was cancelled by locking the device and when user exceeded the fingerprint attempts. If fingerprint had been deregistered when user exceeded fingerprint attampts it would have also been deregistered when user locks the device during fingerprint authentication. Fingerprint refresh token stays in the keychain until the user deregisters it manually and can be accessed only if the correct fingerprintis is provided. The number of attempts can be reset by providing the correct device passcode.
Biometric authenticator registration
Registering the biometric authenticator requires the user to perform PIN authentication. In order to successfully perform authentication
implementing the userClient:didReceivePinChallenge:forUser:
method of the ONGAuthenticatorRegistrationDelegate
protocol is required on the delegate.
Implementing authenticator registration is described in the Authenticator topic guide.
Authenticate using biometric
Whenever biometric authenticator is available and set as preferred the user will be prompted to authenticate with biometric authenticator instead of
PIN. SDK will call userClient:didReceiveBiometricChallenge:
method on your ONGAuthenticationDelegate
. You will be able to choose how to respond to the challenge.
- (void)userClient:(ONGUserClient *)userClient didReceiveBiometricChallenge:(ONGBiometricChallenge *)challenge
{
// Continue authentication using fingerprint with custom prompt
[challenge.sender respondWithPrompt:@"Confirm money transfer" challenge:challenge];
// Fallback to pin if needed
[challenge.sender respondWithPinFallbackForChallenge:challenge];
// Or cancel challenge
[challenge.sender cancelChallenge:challenge];
}
Because biometric scanning is not perfect (e.g. the user may have wet or dirty hands also the temperature may affect the scan result) the user can always choose to fallback to PIN authentication by pressing the "Cancel" button:
In case the user fails to scan a valid biomeric within the allowed number of times, the SDK will automatically perform a fallback to PIN authentication.
When this happens the SDK triggers a call to ONGAuthenticationDelegate#didReceivePinChallenge:challenge
.
Biometric authenticator deregistration
Implementing authenticator deregistration is described in the Authenticator topic guide. Biometric authenticator will also be deregistered when user changes the registered set of fingerprints for Touch ID or registered face for Face ID.
Jailbreak detection
The Jailbreak detection check is applied even if Jailbreak detection is disabled for the application. The reason is that Jailbroken devices are more vulnerable, as the application sandbox as well as KeyChain can be violated. The situation is even more serious for clients who are not using tampering protection and/or are running on older versions of iOS.