Investigate biometric login
Apple has TouchID and FaceID, which use biometrics to authenticate the user to the local device. This biometric authentication can also be used to unlock a cryptographic private key, and the private key can then be used to authenticate the user to a remote server. It looks like Android offers a similar(-ish?) biometric authentication system.
We should learn more about this, and if it looks good, then we should add support to the Circles app. (And also to the Swiclops auth service on the back end.)
Ideas
-
We could add the biometric auth as a 2nd factor for 2FA on
/login
. Then, even if the user chooses a weaker password, they are still protected against outside attackers trying to compromise their account. -
We could use the biometric auth in place of password-based authentication in the UIA flows. For example, if the user wants to delete a device (aka a "session"), they could do so using the biometric instead of typing their password.
Questions
-
On iOS, the app doesn't get access to the private key. But on Android it looks like the app must manage the keys itself.
-
Also on iOS, iCloud makes the private key available on all of the user's devices. Is there anything similar on Android?