Using Face ID to secure iOS Applications

Biometric security like Face ID and Touch ID help make iOS mobile devices more secure and convenient for users. These technologies can also be used by 3rd-party applications.

Touch ID Roots

In 2013 Apple introduced a new, biometric means to unlock its mobile devices using a fingerprint sensor incorporated in the home button — Touch ID. Prior to Touch ID, users who wanted to secure their iOS devices from unauthorized access could do so by entering a 4-digit PIN code (later extended to longer, 6-digit codes). While the data on iOS devices continued to be secured by encryption using underlying PIN code, Touch ID provided a convenient way for users to unlock devices and confirm their identity with only a touch of a finger.

Enter Face ID

With the launch of the iPhone X, Apple introduced a new biometric security mechanism — Face ID. The trademark name Face ID describes itself. Instead of using a scanned fingerprint to identify the user, Face ID uses a scan of the user’s face to match a stored profile on the device.

I’ll talk in terms of Face ID, but it’s worth noting that both Face ID and Touch ID are just different variants of biometric security. From an architecture and development perspective, both operate in the same way, and provide equivalent benefits application architecture.

Touch ID and Face ID operate in the same way, and provide equivalent benefits application architecture

Where Touch ID uses a map of fingerprint ridges to as a means to recognize its user, Face ID uses a 3-dimensional map of contours and facial features. Face ID uses its signature True Depth infrared camera to project 30,000 dots onto the user’s face, then reads the pattern to create its facial contour map.

The Touch ID fingerprint signature and the Face ID facial contour map are stored in the Secure Enclave within the iOS device. This data is accessible only by the end user (encrypted with the PIN that only the user knows), and never leaves the device itself.

Leveraging Face ID in 3rd-Party Applications

While most users think of Face ID only in terms of unlocking the iOS device at the home screen, we can also use Face ID to create more secure and convenient experiences for our 3rd-party applications.

While users are accustomed to being prompted to authenticate with Face ID (or Touch ID) when unlocking the device, we can ask iOS to prompt them to re-authenticate with biometric security at any time. Typically we would prompt a biometric authentication when our own iOS application is launched, just before reading security tokens or user credentials from the iOS

As with other hardware features accessible to 3rd-party applications, users must authorize a custom application to use Face ID. We must design our application assuming that a user may not authorize us to use Face ID (or is using a device that doesn’t support biometric authentication). Apps must fail gracefully, and provide some other means to identify/authenticate the user when biometric security is not available or fails to recognize the user.

Face ID Benefits

Incorporating Face ID in our iOS security architecture has some key benefits:

  • We can be certain the user who unlocked the device is the same person now accessing our application.
  • We can provide an extra layer of security, being sure of the user’s identity before reading highly sensitive data from the user’s Keychain (for example a JWT token or a password)
  • When users are prompted for Face ID (or Touch ID), they are reassured that we‘re taking the security of their sensitive information seriously.

Security Architecture

An application that would benefit from using Face ID/Touch ID on launch would typically have one or more of the following security design elements:

  • A password stored in the user’s Keychain
  • A web service token used for accessing remote APIs stored in the user’s Keychain
  • Certificates or other sensitive data stored in the user’s Keychain

While an application could prompt for biometric authentication even when it’s not to authorize access to sensitive information, this isn’t a typical approach. For the most part, application-level biometric authentication is employed as a secure substitute for a traditional username/password authentication.

Example App Launch Flow with Face ID

The following example illustrates how Face ID (or Touch ID) biometric authentication would be used to provide a confirmation of user identity prior to accessing security credentials.

Typically applications that access secure information (for example, by making authenticated calls to web service APIs) will require either a username/password to begin a session, an expiring token, for example a Java Web Token (JWT). While prompting users to re-enter username/password combinations on every application launch is secure, it’s also frustrating for users. Most mobile applications do store authentication tokens or passwords in keychain, and keeping this information secure is of utmost importance.

In the following flow:

  • A username/password combination (previously entered by the user), or a security token (previously obtained from a web service) are stored in the iOS keychain
  • The Keychain is the correct location for this sensitive data, since it is then encrypted and not accessible without a device PIN/Biometric unlock.
  • If sensitive authentication information has been stored in the keychain (user logged in, but didn’t log out), the user’s ID (but not password or token!) is stored in user preferences. The presence of User Id in preferences is the signal that the application should attempt biometric authentication — rather than proceeding directly to the username/password prompt.
  • If the device doesn’t support biometric authentication, or the user has declined to allow the application to use that feature, or the sensor simply doesn’t recognize the user, Face ID fails, and the application falls back to conventional username/password authentication.
Image for post

In the above login flow, Face ID (or Touch ID) are used to provide a way for the user to grant permission for the application to read from the Keychain.

Could the app read from the Keychain without prompting for biometric verification? The answer is “Yes”. Face ID isn’t required to access Keychain data — when the user unlocked the device with PIN (or Face ID/Touch ID), the Keychain was implicitly unlocked for the application.

But by using Face ID/Touch ID, we’re providing an extra layer of identity verification, and raising the level of security of our application to one that prompts for a password every time it’s launched — but without the user frustration associated with repeated password prompts.

Rob Kerr
App development for iOS, creating applications for my own development studio (Cuvenx Inc.), and consulting with awesome clients to build their mobile applications.
Ann Arbor, Michigan, USA

Copyright © 2021 Rob Kerr