Increasing your iOS App Security: Local Authentication
Security Matters
If you come to think of it, mobile device contains almost all the important information about its user from personal photos, text messages and even banking info. The stakes are high when it falls into the corrupt hands. This is the primary reason why mobile phone security evolves as it contains more sensitive and intimate information of its user.
Apple Knows
As early as iOS 8, local authentication framework is available for the developers to utilize. The physical counterpart in the iOS devices has evolved from Touch ID introduced in iPhone 6s and iPhone 6s Plus to Face ID in iPhone X.
Apple has introduced two mechanisms for biometric security namely Touch ID and Face ID. It is important how these mechanisms work to provide security.
Touch ID
Since iPhone 6s, Apple has introduced the Touch ID as one of its additional layers to the user’s privacy in his mobile device. With the uniqueness of the human fingerprint, Touch ID lays its foundation to be an authentication means for each individual.
Touch ID technology uses a sensor that uses advanced capacitive touch to capture a high-resolution image from small sections of your fingerprint. It can identify multiple fingerprints and able to read in 360 degrees.
Touch ID does not replace your passcode or your password but rather, it encrypts your password and decrypts it when the app is trying to authenticate the user.
Face ID
To increase the security, Apple introduced its next move as the Face ID. It is claimed that Touch ID is approximately 1 in 50,000 that a random person can unlock your phone, unlike Face ID that is 1 in 1,000,000. The statistical probability fails for twins and siblings who look similar. If this is of concern, Apple suggests you use a passcode to authenticate.
The magic of Face ID relies on depth information that is not present in print or 2D digital photograph. Apple must have thought of these type of attacks well to counter spoofing by masks or other malicious techniques. Face ID uses neural networks for anti-spoofing that even detects if the user’s eyes are directed to the camera that makes it very difficult for someone to unlock the device without the consent of the owner.
Local authentication envelops Touch ID and Face ID under a general category that contains an additional layer of security through physical biometrics from the device’s owner.
But when is the best time to use local authentication in your app? This cannot be used for every single action performed in the app. The authentication takes time, its placement must be self-explanatory to the user or else this will tend to annoy the user. Here are some of the most acceptable placements of local authentication.
- Access to app for mobile banking
- Authenticate for in-app purchases
- Or access to sensitive data in general
Implementation
Let us get into the cool stuff also known as the code. Here is a basic implementation of both Touch ID and Face ID.
First things first
import LocalAuthenticationIf you are testing for Face ID, you also need to set NSFaceIDUsageDescription string in Info.plist
Actual code (finally!)
func authenticate() {
// 1 Initialisation of the context
let localAuthenticationContext = LAContext()
let myLocalizedReasonString = "Biometric Authnetication"
var authError: NSError?
// 2 Checks if local authentication is available in the device
if #available(iOS 8.0, macOS 10.12.1, *) {
// 3 The policy is evaluated
if localAuthenticationContext.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &authError) {
localAuthenticationContext.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: myLocalizedReasonString) { success, evaluateError in
// 4 The user responded to the authentication
if success {
print("Authentication successful")
} else {
print("Authentication fail")
}
}
} else {
// 5 The policy cannot be evaluated
print("Could not evaluate policy.")
}
} else {
// 6 Feature is not supported
print("This feature is not supported.")
}
}Do not distress if you do not have a device for either of Touch ID or Face ID. You can run it in the simulator.
For Touch ID
Hardware > Face ID > (Enrolled, Matching Face, Non-Matching Face)
For Face ID
Hardware > Face ID > (Enrolled, Matching Face, Non-Matching Face)
In summary, Touch ID and Face ID both provides an additional layer of security as biometric physical sensors. Moreover, a single code implementation works for both.
References
