Using Touch ID for User authentication


#1

I have an Ionic 2 app that connects to an API that has a user database. Is there a way to add fingerprint data to my database to enable a user to sign in with their fingerprint rather than a username and password?

All fingerprint solutions I’ve seen seem to rely on the device owner, not a database of users.


#2

Yes. This is pretty easy to do. The fingerprint validation is done by IOS or Android. You don’t get the fingerprint data. All you get back from the IONIC plugin is if the user successfully validated his fingerprints or not

  1. After user logs in you should check if his device has fingerprint sensor available. If yes, then prompt him to validate his fingerprints.
  2. After the user authenticates his fingerprint, you can simply store the deviceuuid in your server database. Then you store a preference in local storage that the user has enabled touchid, also save his username (not password).
  3. Next time when the user opens the app, you check if the user has enabled touchID and prompt him to validate his fingerprints.
  4. The ionic plugin will return you true if his fingerprints are validated. Then you simply call an API on the server passing his deviceUUID and username to the LoginAPI. The loginAPI will check its database and see if the user’s deviceUUID + username record exists and will log the user in.
  5. You could even add expiration date on the server record (in case you want the user to re-validate his fingerprints after 10 days for example)

#3

So I think the thing I don’t understand is how they are “validating” the fingerprint. What are they validating it against if the user has never used his fingerprint to login? Unless by “valid”, you really mean that there is a fingerprint present and that validation isn’t actually comparing the fingerprint against a record.

It might also shed some light by explaining I am using this for a personal professional app, where multiple users will be using the same device.


#4

You can only use fingerprinting if it was setup by the user before on the device. A “valid” only tells you that the device recognized it’s owner. It doesn’t help you identify a user or anything.


#5

That just seems bizarre to me. Why would they not provide some sort of data-string that you can save to your database? Guess I’ll need to find a different way to sign in


#6

Because Apple…

(Maybe this is different for Android by the way - but I don’t think so.)


#7

Agreed that this is a waste of an opportunity. I tried using it as well. Then again, it’s possible both Apple and Android see the potential for people to start chopping off fingers to get access to important data, and are avoiding that debacle.