Best practice for using device biometric authentication like FaceID and TouchID

[deepeshsunku]

State your question

Hello, what is the best practice for using cognito authentication with device biometric authentication like FaceID and TouchID?

Want to provide an option to the user to authenticate via FaceID/TouchID for consequent logins after logging in using username/password for the first time.

[lawmicha]

Hi @deepeshsunku I think you will have to first get the user to login, store the credentials in their keychain, then that will enable the ability to use touchId/faceId. upon authenticating with touchId/faceId, you can retrieve the credentials from keychain and log them back in using the regular AWSMobileClient signIn method

https://developer.apple.com/documentation/localauthentication

[stale[bot]]

This issue has been automatically closed because of inactivity. Please open a new issue if are still encountering problems.

[AllioNicholas]

store the credentials in their keychain

@lawmicha does this mean that credentials are stored in plain text?

[lawmicha]

store the credentials in their keychain

@lawmicha does this mean that credentials are stored in plain text?

I don’t think so, I haven’t tried so myself but it looks like Apple provides a secure way to do it

https://developer.apple.com/documentation/security/keychain_services/keychain_items/adding_a_password_to_the_keychain

[pzmudzinski]

@lawmicha I assume you meant login via email/password but what about Google/Apple/Facebook sign in? If user logs in with email and password we actually can save those in keychain and use it later for automatic login but what about social platforms? SDK does not expose anything which could be used for further relogin.

[pzmudzinski]

I assume answer is no - it's only viable for email/pwd login. Implemented it using LocalAuthentication framework.