With the recent announcement of Touch ID APIs for third party apps, I am wondering how can we leverage this feature to perform secure transaction ? I am looking for a method to use Touch ID in my payment application. One option is to store the password in the keychain and add access policies to invoke Touch ID during payment but the problem is if the device password is compromised, user can roll back to device password to access password stored in keychain. Does anyone know a better mechanism to manage password & make the transaction smoother & secure using Touch ID ?
4 Answers
Authentication keychain access using biometric scan defaults to device pass code as a back up when authentication fails. But one can use LAContext API to directly invoke the biometrics authentication and make actions based on the result.
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = <#String explaining why app needs authentication#>;
if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
// User authenticated successfully, take appropriate action
} else {
// User did not authenticate successfully, look at error and take appropriate action
}
}];
} else {
// Could not evaluate policy; look at authError and present an appropriate message to user
}
- 11
- 2
Do not use Touch ID for anything beyond the Apple lockscreen. In other words, do not use it in apps, or store/read any detail related to Touch ID in the iOS Keychain.
Reason #1: http://whaley.org.uk/andrew/blog/2015/03/08/rbs-natwest-touch-id-security
Touch ID can be subverted completely by simply attaching a hooker (such as cycript) and telling the LocalAuthentication API that the fingerprint is valid. There are even Cydia apps such as SuccessID to oversimplify the task of bypassing Touch ID.
Some may say that this requires a Jailbroken device, but that's not true -- one can also repackage an app to a jailed device. Bishop Fox demonstrates that process here -- http://www.bishopfox.com/blog/2015/05/rethinking-repackaging-ios-apps-part-2/
"Apple devices have a casual enrolment process -- if you know a device's passcode, you can enroll one or more fingerprints. There is no binding between the human presenting a finger and the digital identity the device represents. This might be okay when authorising the unlocking of a phone, but it becomes problematic when it might authorise payments or other highly sensitive actions."
Reason #3: Just the stupid factor. If you go to a bar with a friend who loves to razz you up, what's to stop him or her from tricking you into swiping (or if you pass out from drinking too much!)? After you've found out that you've been compromised -- you can change your PIN or passcode, but you can't change your fingerprint.
- 18,885
- 6
- 58
- 107
One possibility here would be to not have the user actually generate a password, you could have the app generate a random string when the local biometric auth succeeds on account creation. This randomly generated string could be used as a password to generate the shared secret between the client and the server. Store this shared secret in the keychain.
When you need to perform a transaction, the user could validate with their thumb or whatever biometric feature is used in the future to access the secret within the keychain. This could then be used to enable the transaction.
- 101
-
Thanks Roderic. However, this doesn't solve the problem. Lets say my password is password123 and the shared secret that I am going to store in the keychain is MY_SECRET_123. When user is prompted with TouchID, if the device password is compromised, anyone can roll back to device password and get my shared secret from keychain. Since PayPal & other payment gateways are claiming TouchID support once iOS 8 is officially released for public, I am wondering what approach they have taken to make it secure. – Bharath Aug 18 '14 at 05:40
-
I wasn't aware that the API fell back to the device password. Is that definitely the situation using LocalAuth? – Roderic Campbell Aug 18 '14 at 17:52
-
LocalAuth APIs are some what better. They will give you delegate callbacks when user taps on Enter Password option. You can either prompt a password screen or restrict him. I wish Apple had provided something similar for keychain with access policies – Bharath Aug 19 '14 at 05:50
Touch ID is easily broken if someone can lift your fingerprint (which is easier than most people think). Thus, you shouldn't rely on Touch ID for security.
- 389
- 1
- 5
-
The same can be said for passwords right? I suppose the password can change though. Perhaps there is a biometric implementation that can't be forged the way your link describes. – Roderic Campbell Aug 18 '14 at 17:53
-
1The question was specific to Touch ID and it can be easily broken as demonstrated by the linked article. Comparing biometric authentication with passwords is comparing apples with oranges: biometric is something you have (and can be taken by law enforcement as demonstrated recently in the USA) and passwords is something you know (and you can claim to have forgotten). – fel1x Nov 06 '14 at 19:04