Best practices for LocalAuthentication + SecureStore?

Please provide the following:

  1. SDK Version: 40
  2. Platforms(Android/iOS/web/all): Android and iOS

I have a web server that provides access to a REST API. There’s a sign_in endpoint that accepts an e-mail address and password and returns an Authorization header containing a JWT.

It would be nice if the user did not have to enter their username and password every time they open the app. But I’m a bit unsure of the best practices or what exactly is possible.

My bank’s app only ever asks for a PIN by default, but you can enable fingerprint authentication. Would this cause the app to store the PIN in the keychain/securestore so that it can send it to the server to login? I suppose if this is the case then it would receive a JWT in response to the login and would then be able to make subsequent requests using the JWT.

Translating the above into my app would mean storing the e-mail address and password in SecureStore and using it for making the sign_in request when the user does the LocalAuthentication in the app. Storing the username and password makes me uneasy, though.

Another option might be to store the JWT in SecureStore instead of the username and password. By default the JWT expires after about a day, though. So this would not work unless there’s a way to refresh the JWT (which I think I’ve seen something about somewhere). Of course just refreshing the JWT indefinitely also seems like a risk.

Is it a problem to store the username and password in SecureStore? The Apple keychain docs do mention storing passwords. The Android SharedPreferences docs don’t seem to mention storing passwords, but since the SharedPreferences are apparently encrypted using Android’s Keystore system maybe this is fine.

I’d appreciate it if anyone has guidance on how to do this sort of thing securely.

Also, although the app does not currently support 3rd party authentication via OAuth 2/OpenID Connect, how would things change if I wanted to implement something like that? In that case I would not have the username/password so would not be able to store it in SecureStore.

Thanks

1 Like