7

We have a microservice-based system and currently users are authenticated by keycloack(jwt) and we need to add biometrics login in this existing system. At first, we have designed a biometrics authentication flow as below:

  1. Generate Asymmetric Key Pair at the client end(mobile app).
  2. Share the public key with backend server.
  3. Encrypted the authentication token(jwt access token generated from keykoack, generated initially from password login) with the public key at the backend server.
  4. Share the encrypted token to the mobile app and save it locally at the device.
  5. Use biometric APIs to get access to the private key.
  6. Decrypt the encrypted token and use it for further authentication.

But where I got a problem is what to do when:

  1. the access token get expired?
  2. Even if the life-span of the token is exceeded, what to do if the token policies have to be updated on the way?

My questions are:

  1. Is this flow correct & makes sense? (flow referenced from: reference thread)
  2. What are the best practices that are being taken for biometrics authentication in similar circumstances like above or how popular apps are implementing biometrics any references?

I'm trying to solve this since last week but no luck. I would really appreciate the suggestion, tips, help.

mondyfy
  • 417
  • 4
  • 10
  • Have you found a solution ? I'm facing similar issue. I got username/password auth with JWT and wondering how to add biometrics authentication to this set up – luk Sep 07 '22 at 16:15
  • 1
    Sorry nope, Team decided to step down from biometric login and then never had a similar situation to do. – mondyfy Sep 08 '22 at 05:33
  • 1
    I got it working for IOS, and working on Android now. I'm creating unique secret for each user, this is being encrypted and kept in key chains. I'm sending this secret to server and encrypt similar like with standard password. I'm keeping a hash of this secret in DB. Once the user uses biometric, after successful auth, secret is being decrypted from keychain and I'm sending it to the server and compare against db entry. I will create a an entry on SO soon – luk Sep 17 '22 at 16:22

0 Answers0