Reputation: 658
Flutter Offline Authentication
In my app, the user should be able to login regardless whether they are online or offline, so is it possible to add offline authentication capabilities to my app, because I believe the package google_sign_in only does online authentication.
Upvotes: 1
Views: 3038
Answers (1)
Reputation: 40493
If all you're doing is asking for an email & password, that's fairly simple to check against and you can do it without having to delve into native code.
However, you'll also want to store the password information securely so that will require a little more work.
During registration:
- Ask for username and password, then confirm password
- Hash password securely (use an algorithm meant for password hashing like PBKDF2, SCrypt, or Argon2, and use a salt. There'a ton of stuff out there on the internet why this is important). There's a plugin for this: password.
- Store this hash & the username as securely as possible - flutter_secure_storage seems a good a bet as any although only supports android 4.3+.
- Use the generated encryption key to encrypt any data you need saved securely (maybe the encrypt package could help but I'm not 100% sure how complete or secure it is).
If you instead want your user to log into a server the first time and save the password as well, this should be more or less the same process except that you verify that the server accepts the password before/after hashing it.
During login:
- Ask for username and password (or hopefully just password or you'll annoy the crap out of your users =D)
- Retrieve previously stored password hash + salt
- Verify against previously stored hash + salt
- Use generated encryption key to decrypt data etc.
A few other things... make sure that the password entry doesn't support autocomplete or the user's keyboard might save their password. If you have a button to show the password you might want to think about blocking screenshots somehow while it's being shown (that's native though). And never, ever store the password in plain text! Using a hash means that at least if an attacker gets in, they won't be able to see the actual password.
Note that while this should work and should be at least moderately secure, don't treat it as a 100% secure solution. You should always get an expert opinion on how to implement your security as opposed to a stranger on SO =P.
There's also a bug open against the flutter google auth plugin about this so it might get resolved at some point that way.
And there is also the local_auth plugin which supports TouchId/FaceId on iOS and fingerprints on android - however, it will only work on android 6+ and with devices that have a fingerprint reader so you may need to have the username/password fallback anyways.
I'd be happy to answer any questions you have about this.
Upvotes: 6
Related Questions
- Assistance needed with flutter app saving user authentication status
- Google sign in for flutter web - Request offline access
- How to setup a local authentication in Flutter?
- How To Run a Flutter Web Application Offline?
- Flutter Firebase signout
- How to bypass Firebase authentication when app is offline?
- How can users stay logged into my Flutter app?
- Can't use signInWithEmailAndPassword in flutter app when offline
- How do I do offline authentication using flutter and firebase
- Firestone offline capabilities flutter