With the recent announcement of Touch ID APIs for third party apps, I am wonderi

Question

With the recent announcement of Touch ID APIs for third party apps, I am wondering how can we leverage this feature to perform secure transaction ? I am looking for a method to use Touch ID in my payment application. One option is to store the password in the keychain and add access policies to invoke Touch ID during payment but the problem is if the device password is compromised, user can roll back to device password to access password stored in keychain. Does anyone know a better mechanism to manage password & make the transaction smoother & secure using Touch ID ?

Explanation / Answer

One possibility here would be to not have the user actually generate a password, you could have the app generate a random string when the local biometric auth succeeds on account creation. This randomly generated string could be used as a password to generate the shared secret between the client and the server. Store this shared secret in the keychain.

When you need to perform a transaction, the user could validate with their thumb or whatever biometric feature is used in the future to access the secret within the keychain. This could then be used to enable the transaction.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.