Method to integrate Touch ID in iOS apps

Question

With the recent announcement of Touch ID APIs for third party apps, I am wondering how can we leverage this feature to perform secure transaction ? I am looking for a method to use Touch ID in my payment application. One option is to store the password in the keychain and add access policies to invoke Touch ID during payment but the problem is if the device password is compromised, user can roll back to device password to access password stored in keychain. Does anyone know a better mechanism to manage password & make the transaction smoother & secure using Touch ID ?

Answer 1

Authentication keychain access using biometric scan defaults to device pass code as a back up when authentication fails. But one can use LAContext API to directly invoke the biometrics authentication and make actions based on the result.

LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = <#String explaining why app needs authentication#>;

if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
    [myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
                  localizedReason:myLocalizedReasonString
                            reply:^(BOOL success, NSError *error) {
            if (success) {
                // User authenticated successfully, take appropriate action
            } else {
                // User did not authenticate successfully, look at error and take appropriate action
            }
        }];
} else {
    // Could not evaluate policy; look at authError and present an appropriate message to user
}

Answer 2

Do not use Touch ID for anything beyond the Apple lockscreen. In other words, do not use it in apps, or store/read any detail related to Touch ID in the iOS Keychain.

Reason #1: http://whaley.org.uk/andrew/blog/2015/03/08/rbs-natwest-touch-id-security

Touch ID can be subverted completely by simply attaching a hooker (such as cycript) and telling the LocalAuthentication API that the fingerprint is valid. There are even Cydia apps such as SuccessID to oversimplify the task of bypassing Touch ID.

Some may say that this requires a Jailbroken device, but that's not true -- one can also repackage an app to a jailed device. Bishop Fox demonstrates that process here -- http://www.bishopfox.com/blog/2015/05/rethinking-repackaging-ios-apps-part-2/

Reason #2: http://www.techrepublic.com/article/apple-touch-id-design-constraint-raises-authentication-red-flags/

"Apple devices have a casual enrolment process -- if you know a device's passcode, you can enroll one or more fingerprints. There is no binding between the human presenting a finger and the digital identity the device represents. This might be okay when authorising the unlocking of a phone, but it becomes problematic when it might authorise payments or other highly sensitive actions."

Reason #3: Just the stupid factor. If you go to a bar with a friend who loves to razz you up, what's to stop him or her from tricking you into swiping (or if you pass out from drinking too much!)? After you've found out that you've been compromised -- you can change your PIN or passcode, but you can't change your fingerprint.

Answer 3

One possibility here would be to not have the user actually generate a password, you could have the app generate a random string when the local biometric auth succeeds on account creation. This randomly generated string could be used as a password to generate the shared secret between the client and the server. Store this shared secret in the keychain.

When you need to perform a transaction, the user could validate with their thumb or whatever biometric feature is used in the future to access the secret within the keychain. This could then be used to enable the transaction.

Answer 4

Touch ID is easily broken if someone can lift your fingerprint (which is easier than most people think). Thus, you shouldn't rely on Touch ID for security.