0

I couldn't find such a standard which mention about TouchID or fingerprint log in expiration date.

Suppose I have an application and allow users to log in using the fingerprint. I would like to know for how long should I allow my user to log in with fingerprint before I required them to enter the password again. For example, allow the user to log in using fingerprint for 3 months and every 3 months user need to re-enter the password.

Is there such a standard specify about the time length? or it can last forever?

jlevis
  • 113
  • 2
Kong
  • 35
  • 7

3 Answers3

1

Why not treat it the same way as a password? It is just another factor of authentication.

NIST800-63B recommends re-authentication at 30 minutes for inactivity or 12 hours of active use. https://pages.nist.gov/800-63-3/sp800-63b.html .

Joe M
  • 2,997
  • 1
  • 6
  • 13
1

In mobile banking apps for Android, use the OS settings for fingerprint login. As mentioned in the answer above (by @Jesse P.) where to use passcode and where to use fingerprint is fully clear.

Now, as you asked for expiration of fingerprint: it should not expire until its settings are not changed or the app where you are using fingerprint is reset.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Bilal Amin Khan
  • 26
  • 2
0

Excerpt from Apple's iOS Security document

You can read the full security document here

Jesse P.
  • 415
  • 1
  • 3
  • 8
  • Already read this but just doubt about like when you logging in to mobile banking service, you can log in with fingerprint and there is no expiration date here. – Kong Aug 31 '18 at 03:01
  • 1
    Mobile banking apps (or any app) that use TouchID are using your device's settings and restrictions. They don't have their own TouchID on top of your device's. The same restrictions in the doc apply everywhere. – Jesse P. Aug 31 '18 at 03:07