How to re-login using Biometric authentication?

Question

I am developing an login feature using username/password and biometric authentication. My thinking usecase is:

1. User login via username/password for the first time and get there Token (access_token/refresh_token).
2. User go to app's setting and enable biometric authentication.
3. App will show and verify biometric from user.
4. App will save "Encrypted Data" data here when biometric is success.
5. User does logout app
6. User does login via biometric

And I am very concern at 2 points:

1. At step 4, which thing should I encrypt? Token or username/password? . If Token, it can be expired, if username/password, it seems not a good idea.

2. At step 5, the token will be cleared, so in step 6, after verify biometric, how can I re-login user? Will it depends on my saved data at step 3? or if user logout, we should also disable biometric?

Thanks in advance.

Answer 1

You should store session refresh token only. No need to store access tokens or, moreover, login/password.

After enabling the biometric authentication you should put encrypted refresh token and encryption iv somewhere (in shared preferences or in db for example) and store encryption key in device's secure store.

On step 5 user shouldn't logout. As logging out means you will close the session and won't be able to reuse it, forcing a user to enter login and password again.

When a user starts the app, you will get the key and decode Refresh Token. Then you will use it to get new Access Token.

For all this to work properly, you should have a long life-time for refresh tokens and short for access tokens.