Best practices for LocalAuthentication + SecureStore?

wodin · February 16, 2021, 9:43am

Please provide the following:

SDK Version: 40
Platforms(Android/iOS/web/all): Android and iOS

I have a web server that provides access to a REST API. There’s a sign_in endpoint that accepts an e-mail address and password and returns an Authorization header containing a JWT.

It would be nice if the user did not have to enter their username and password every time they open the app. But I’m a bit unsure of the best practices or what exactly is possible.

My bank’s app only ever asks for a PIN by default, but you can enable fingerprint authentication. Would this cause the app to store the PIN in the keychain/securestore so that it can send it to the server to login? I suppose if this is the case then it would receive a JWT in response to the login and would then be able to make subsequent requests using the JWT.

Translating the above into my app would mean storing the e-mail address and password in SecureStore and using it for making the sign_in request when the user does the LocalAuthentication in the app. Storing the username and password makes me uneasy, though.

Another option might be to store the JWT in SecureStore instead of the username and password. By default the JWT expires after about a day, though. So this would not work unless there’s a way to refresh the JWT (which I think I’ve seen something about somewhere). Of course just refreshing the JWT indefinitely also seems like a risk.

Is it a problem to store the username and password in SecureStore? The Apple keychain docs do mention storing passwords. The Android SharedPreferences docs don’t seem to mention storing passwords, but since the SharedPreferences are apparently encrypted using Android’s Keystore system maybe this is fine.

I’d appreciate it if anyone has guidance on how to do this sort of thing securely.

Also, although the app does not currently support 3rd party authentication via OAuth 2/OpenID Connect, how would things change if I wanted to implement something like that? In that case I would not have the username/password so would not be able to store it in SecureStore.

Thanks

ryanst · March 3, 2021, 7:55pm

A quick search for React Native biometric authentication would give you several tutorials. That was the first thing I did when there was a need for such a feature in one of my projects. Depending on the level of risk acceptable for your app, one of those solutions might be suitable.

system · April 2, 2021, 7:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Storing JWT in SecureStore Expo SDK	2	1866	March 10, 2018
Use secret key of Expo Local Authentication to encrypt username and password How to / Third Party Tooling localauthentication	1	446	October 13, 2021
Storing secret information in SecureStore (secret for user) Expo SDK	2	1257	March 10, 2018
Handling biometric authentication with remote verification Expo SDK	1	763	January 3, 2020
Problems Using `requireAuthentication` with expo-secure-store Expo SDK securestore	1	900	August 8, 2022

Best practices for LocalAuthentication + SecureStore?

Related Topics