iOS/Android finger print - authentication server side

Question

I'm trying to wrap my head around how to implement iOS/Android finger print to authenticate a user.

From what I understand, triggering the finger print dialog is just an additional security?

So a typical on boarding process would be something like this:

1. User downloads the app.
2. User registers/signs in, and get a token back from the server.
3. On certain actions where we need additional security, trigger finger print dialog.
4. If fingerprint is OK - do actual REST call with token from step 2.

Am I missing something?

Answer 1

Please read one of these blogs (there's many others):

• http://www.techotopia.com/index.php/An_Android_Fingerprint_Authentication_Tutorial

• https://www.survivingwithandroid.com/2016/12/android-fingerprint-authentication-tutorial.html

Process have to be:

1. User must have already register fingerprint and choose unlock device with fingerprint in Android Settings app.
2. User downloads the app.
3. User registers/signs in with fingerprint check
4. App generate a local token and store in secure (secure element) keystore on device
5. this local app token is sent to server
6. On certain actions where we need additional security, trigger finger print dialog.
7. If fingerprint is OK, app ahs access to secure key store to get token. App can use this token to do REST call from step 4.