Why shouldn’t you use simplePrompt to log in a user?

[lustig-bakkt]

This below advice is in the README, but I don’t understand why, after validating a user’s biometrics, it isn’t okay to let them into the application.

NOTE: This only validates a user’s biometrics. This should not be used to log a user in** or authenticate with a server, instead use createSignature. It should only be used to gate certain user actions within an app.

re: https://github.com/SelfLender/react-native-biometrics#simplepromptoptions

[ronkot]

@lustig-bakkt This excellent article describes that in detail: https://blog.nviso.eu/2021/04/06/a-closer-look-at-the-security-of-react-native-biometric-libraries/

In short, using just simplePrompt would be implementing "event-based authentication". Depending on your applications security needs it may not be enough. Below a copy-paste from the beforementioned article:

Biometric authentication

Biometric authentication allows the user to authenticate to an application using their biometric data (fingerprint or face recognition). In general, biometric authentication can be implemented in two different ways:

• Event-based: the biometric API simply returns the result of the authentication attempt to the application (“Success” or “Failure”). This method is considered insecure;
• Result-based: upon a successful authentication, the biometric API retrieves some cryptographic object (such as a decryption key) and returns it to the application. Upon failure, no cryptographic object is returned. Event-based authentication is insecure as it only consists of boolean value (or similar) being returned. It can therefore be bypassed using code instrumentation (e.g. Frida) by modifying the return value or by manually triggering the success flow. If an implementation is event-based, it also means that sensitive information is stored somewhere in an insecure fashion: After the application has received “success” from the biometric API, it will still need to authenticate the user to the back-end using some kind of credentials, which will be retrieved from local storage. This will be done without the need of a decryption key (otherwise the implementation wouldn’t be event-based) which means the credentials are stored somewhere on local storage without proper encryption.

A well-implemented result-based biometric authentication, on the other hand, will not be bypassable with tools such as Frida. To implement a secure result-based biometric authentication, the application must use hardware-backed biometric APIs.