iOS Touch ID and SSO

Question

I am working on an enterprise iOS application. There will be multiple applications from the enterprise.

• Wanted to check if Touch ID can be used as an SSO, so that the user is authenticated for one of the enterprise app using Finger Print only once and other enterprise apps does not need to login again.
• Is there any API for Touch ID that can be leveraged by other enterprise apps for this purpose.

Let me know if I need to share any other information.

Thanks in advance!

Answer 1

An app can use TouchID in one of two ways -

1. There is an API that returns a yes/no that indicates whether a valid finger print was presented when prompted. This could be used if you wanted the user to authenticate to the app locally. A "secret diary" app might use this for example
2. There is a second API that allows the use of TouchID to retrieve a value from the keychain. An app that requires authentication to some back-end might use this; The TouchID authentication is used to retrieve the username/password from the keychain which is then presented to the back-end. The user must log in manually the first time (and any time the password changes). If you have several apps that share a keychain via group entitlement then the credentials could be retrieved by any of those apps, but the user would need to use TouchID each time the credentials were retrieved. You could potentially achieve SSO across apps by using a federation protocol like OAuth/WS-* and sharing the session details so that the user only needed to TouchId the first time (and subsequently when the session expires)