0

I'm working on an iOS app whose login system does not seem entirely secure but I don't know enough to be sure.

Skipping account creation, the first time the user logs in they send their user and hashed pass to the server to acquire a token with which they can make the rest of the API calls.

This seems fine but the user is given the option to activate biometric authentication in the app's settings and this is where I'm not certain about the implementation being secure.

To activate this feature, the user proves the ownership of their phone using Face ID or Touch ID. If this is done successfully, the app makes an API call sending the following information to the server which activates biometric authentication for this user's account:

  • the username (redundant)
  • the session token
  • the device's internal id number
  • the device's notification (APNS) id

From that point on, in order to acquire a token (login) the app makes a different API call (not the normal user/pass call) where only the user and the 2 previously mentioned ids are sent (obviously this is done only after the user successfully uses the phone's biometric authetication).

Is this secure? It doesn't seem inconceivable that someone could figure out the username, and those 2 device identifiers to gain access. If it isn't secure, what would the right approach be? How do bank apps do it for example?

I couldn't find an answer to these questions by googling etc.

Luc
  • 31,973
  • 8
  • 71
  • 135
nscan
  • 1
  • 1
  • *...they send their user and hashed pass to the server..."*. Clients don't normally send hashed passwords as the hash effectively becomes the password. Nothing wrong with this assuming the server hashes the hash. Just an observation. – user10216038 Oct 24 '20 at 16:23
  • While I recognize the popularity and convenience of using BIOmetrics, realistically something that can be forcibly taken from you, perhaps even surreptitiously, should not be considered high security by itself. Security is relative, consider the intended use. – user10216038 Oct 24 '20 at 16:32

1 Answers1

0

You are still using a session token, which if implemented correctly, is already secure

All the Face/Touch ID is doing is adding a second factor on the client-side, which prevents you from using the session token until the authentication is completed

rebane2001
  • 16
  • 1
  • I'm not sure I understand, the problem is in acquiring the token. In order for an attacker to acquire a valid token for a user, they just need to get their username and the two device identifiers which (if I'm not mistaken) any other app on the phone can access. – nscan Jan 27 '20 at 12:01
  • The token should be retrieved with the ordinary username/password first-time login and stored on the device. Only subsequent app use, where the token is already on your device, should allow Touch/Face ID for authentication. You'll notice that all popular apps that allow biometric authentication still ask for an username/password the first time you log in – rebane2001 Jan 27 '20 at 12:07