3

If a fingerprint authentication mechanism, such as iOS's Touch Id, informs an app that it has been successful, how does one securely call back to a web server such that a security ticket can be authorised? Surely, something verifiable must be submitted along with the request otherwise anyone could call the service directly.

Ian Warburton
  • 1,147
  • 1
  • 10
  • 16

1 Answers1

3

Secure enclave doesn't really do any call back to web servers since Touch ID's a replacement for local passcode, and not directly tied with any third-party service. I think in order to enable using touch ID inside an app like Paypal, you need to have already logged into Paypal using your ID and password. Then enabling touch ID basically ties this token with touch ID. So it goes touch ID -> secure enclave -> yes Paypal, a positive match -> Paypal goes and now uses stored token or cookie (or whatever the mechanism is) made from the initial login using the password to do Paypal stuff on its own.

  • 2
    Very nice answer. But what if the token has an expiry date? Ideally, the shorter the lifespan of a token, the better. Does that mean, services like Paypal are using permanent tokens? – alex351 Jun 04 '19 at 11:51