As could be reviewed in 1 under Am I Vulnerable... section, OWASP page states that
If the mobile app uses a feature like TouchID, it suffers from insecure authentication.
The reasons for this are not obvious though. Why is this considered insecure?
I believe what OWASP are referencing is the use of TouchID Local Authentication, which isn't very secure on its own, but is unfortunately the most common implementation. Effectively all it does is check if the fingerprint was correct and return a true/false. The secrets (e.g. session IDs) aren't actually protected by the authentication mechanism. This check can be bypassed by a local attacker as they can just modify the app binary to remove the check, and iOS won't enforce any additional verification or require that the phone is actually unlocked.
OWASP generally suggests that you utilise Keychain for storing app secrets, using an access control list (ACL). This ensures that the data cannot be accessed without iOS itself performing a presence check, as per the specification of the data protection class in use (e.g. kSecAttrAccessibleWhenUnlocked means it'll only allow access to the data if the phone is unlocked). This prevents the check from being bypassed as the sensitive data is stored and protected by the OS. You can read more about this in the Encryption and Data Protection section of the iOS Security Guide [PDF].
