Re: Integrating touch Id with sign up-in process in client-server based app
Re: Integrating touch Id with sign up-in process in client-server based app
- Subject: Re: Integrating touch Id with sign up-in process in client-server based app
- From: Jens Alfke <email@hidden>
- Date: Thu, 16 Jul 2015 15:31:44 -0700
> On Jul 16, 2015, at 2:10 PM, Devarshi Kulshreshtha <email@hidden> wrote:
>
> My question is - is there any way we can use touch ID to validate user at
> server, say by sending and validating his biometric information at server?
No. The biometric data never leaves the locked-down trusted module inside the CPU; it’s completely inaccessible unless you physically tear the chip open and do some very sophisticated probing. That’s a good thing. Sending biometric data around is very insecure, and if it’s compromised the user is screwed because they can’t very well get a new set of fingerprints.
All TouchID lets your app do is store data in a Keychain item such that it can’t be retrieved later unless the user physically presents their fingerprint. So _after_ your app has authenticated itself to the server the first time, you can store the resulting shared secret (password, key, token, whatever) securely so that it can only be retrieved using Touch ID.
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden