Implementing Secure Authentication with Biometrics in Ionic Application

Hello Ionic community!

I’d like to share the authentication approach I’ve implemented in my Ionic application, using the stack Angular/ExpressJS/MongoDB, and seek your valuable feedback, insights, and suggestions. My goal is to ensure that the authentication process is not only robust and secure but also aligns with best practices recommended by the community.

Overview of Authentication Approach:
In my Ionic application, I’ve implemented an authentication process that combines username/password authentication with biometric authentication (fingerprint recognition). Here’s a brief overview of the key components of the authentication approach:

  1. Traditional Authentication:
  • username and password are sent to the server-side (ExpressJS server).

  • On successful authentication (After successful search for user existance and comparing the given password encryption with the existing one) I generate an Access, refresh token and a biometric token with the JWT package using the RS256 algorithm with a validty date of 1 hour for the access token and 2 hours for the refresh token. After that, the tokens are sent to the client.

  • All the tokens are generated using the jsonwebtoken package

  • When tokens are received by the frontend I store them locally. For this purpose, I do use the plugin capacitor-secure-storage that encrypts the keys using AES in GCM mode with a secret key generated by the Android KeyStore, then stored in SharedPreferences, which is specific to the app. If the app is deleted, its data is deleted as well.

  • After this I grant access to user account, and on every request to the server I use the stored access and refresh token to get access to resources on the server.

  1. Biometric Authentication:
  • As I have mentioned earlier biometric token is generated on the server-side and transmitted to the client-side along with the access and refresh token (for the Biometric token: encryption Alg is RS256 with a 30 days validity).

  • For biometric authentication I do use the cordova fingerprint AIO plugin.

  • Upon successful biometric authentication, I do send the locally stored biometric token on the device to the server side for validation. Once the token is being validated by the server side, I do send access and refresh token to the client side.

I believe that implementing a robust and secure authentication process is crucial for the overall security and integrity of my Ionic application. I look forward to hearing your thoughts, feedback, and suggestions on the approach I’ve described.

Thank you for your time and contributions!

What happens when the refresh token expires? How do you update it