Closed ikosta closed 8 years ago
Hi @ikosta thanks of this very useful issue and those links you provided!
So as I understand it you can programmatically check whether or not the list of enrolled fingerprints changed since the last time you authenticated and then the developer can decide if he wants to have the user re-authenticate himself (which seems like a smart thing to do at that point).
I don't want to sit on the developer's chair and just check this every time the user scans his fingerprint as I'd have to invoke the errorhandler and most devs probably assume the user made a mistake.
I'd rather make this more explicit and add a new method to the API where the developer can choose to (and is encouraged to) check whether or not the list of enrolled fingerprints changed since the last time this function was called, and if so the dev should have the user re-authenticate himself before he can use his fingerprint(s) again.
That's likely the best balance between secutiry, devs not breaking app experiences, and me not getting overwhelmed with false bugreports.
So recommended usage of this plugin will then change from this:
window.plugins.touchid.isAvailable(
function(available) {
if (available) {
// call the fingerprint scanner
}
}
);
To this:
window.plugins.touchid.isAvailable(
function(available) {
if (available) {
window.plugins.touchid.didFingerprintDatabaseChange(
function(changed) {
if (changed) {
// re-auth the user by asking for his credentials before allowing a fingerprint scan again
} else {
// call the fingerprint scanner
}
}
);
}
}
);
Does that make sense? :)
Hi Eddy,
that would be perfect and will be the best solution.
Thanks for all your plugins and the maintenance!
Hey @ikosta thanks for the help on this. Check the readme for details on the new feature and please give it a spin. use the master branch as it's not released to npm yet.
I'll implement it and give you feedback. Thanks!
Closing for now, please reopen if anything pops up.
It's a new iOS 9 property for the LocalAuthentication.framework.
Actually when adding a new fingerprint this plugin will just work with the new fingerprint, but what if the device code is hijacked and a new fingerprint added by the hijacker. He can then just unlock any app that uses this plugin with that new fingerprint.
See this for more details: https://godpraksis.no/2016/03/fingerprint-trojan/
And this for an example implementation: https://github.com/dannycabrera/DotNetMiami/blob/master/ViewController.cs