Reputation: 1895
Securing user secrets in KeyChain vs Keychain+Biometrics
The common approach to secure user secrets in native applications seems to be storing the secret in keychain and adding an additional layer of protection by way of biometrics/touchId/FaceID.
My questions:
Does adding the additional layer of protection (biometrics) make your app any more secure? If the attacker was able to unlock your phone using the very same biometrics you use to secure your app, what advantage have you gained?
What attack vectors are you opened to, for an app to be securing user data in keychain but not using biometrics as the additional second factor?
some apps, also use 4 digit PIN entry as an alternative to biometrics, isn't this a placebo? i.e. the bulk of the app security comes from the fact that the application is relying on an operating system that provides a keychain and secure mechanism for this app, and only this app, to retrieve its secrets. Adding a 4 digit pin to supposedly hash your secrets and then secure them in keychain is what?
Upvotes: 0
Views: 49
Answers (0)
Related Questions
- Storing authentication tokens on iOS - NSUserDefaults vs Keychain?
- how to secure biometric data
- How safe it is to store user credentials inside keychain in order to login with touchid?
- NSUserDefaults or keychain is better to save username and password in iPhone app
- How safe is NSUserDefaults compared to KeyChain
- Should I use OAuth or JWT?
- Token Based Authentication using ASP.NET 5 and Identity vs custom user database
- What is the more appropriate way to use iOS keychain technology
- Should I make my Logon Application encrypt logon security tokens?
- Why to store username and password in Keychain in iPhone app