生物认证实施 [英] Biometric authentication implementation

问题描述

我正在寻找有关使用指纹/touchID/FaceId 从我们的移动应用进行替代身份验证的最佳做法.

I'm looking for the best practices regarding alternative authentication from our mobile app using fingerprint/touchID/FaceId.

• 数据库: PostgreSQL
• 后端:.net core 2.2 中的 REST API
• 客户:
  • Angular2 网络客户端
  • Xamarin Forms 中的移动应用程序<--- 这就是魔法应该发生的地方
  • Database : PostgreSQL
  • Backend : REST API in .net core 2.2
  • Clients :
    • Angular2 web client
    • A mobile app in Xamarin Forms <--- This is where magic should happens

    目前，我们的客户端使用用户名/密码对 REST API 进行身份验证并接收 JWT 令牌.然后将令牌附加到 API 的每个安全请求.

    For the moment, our clients authenticate to the REST API using username/password and receive a JWT token. The token is then attached to each secured request to the API.

    用户从移动键盘输入密码并不总是很方便，所以我正在尝试实现一种更简单的登录方式，使用生物识别身份验证，例如指纹、faceID、touchID...

    It is not always convenient for users to type the password from the mobile keyboard, so I'm trying to implement an easier way to login using biometric authentication such as fingerprint, faceID, touchID...

    在我看来，工作流程如下:

    In my opinion, the workflow would be the following :

    • 用户首次使用用户名/密码组合从移动应用登录
    • 如果设备允许，请要求用户使用生物识别技术
    • 生成令牌并将其发送到 API
    • 将令牌存储在安全存储(密钥库/钥匙串)中
    • 使用此令牌代替密码登录

    我们总是有经典的用户名/密码回退.

    We always have the classic username/password fallback.

    我在这里阅读了很多关于 stackoverflow 的帖子，并在 Google 上搜索了解决方案，但似乎没有一个能解释后端安全实现的用例.

    I read a lot of post here on stackoverflow, and searched on Google for a solution but none seems to explain a use case with the backend security implementation.

    我已在我的应用程序移动设备上实施指纹扫描仪并获得成功回调.我在我的 Xamarin 项目中使用这个库来获得生物特征认证:https://github.com/smstuebe/xamarin-fingerprint

    I have implemented the fingerprint scanner on my app mobile and get the success callback. I'm using this library in my Xamarin project to get the biometric authentication : https://github.com/smstuebe/xamarin-fingerprint

    你能告诉我如何实施吗?在后端和客户端之间存储公共令牌是最好的方法吗?密钥库/钥匙串安全吗?我错过了什么吗?

    Could you please advise me on how to implement it ? Is storing a common token between backend and client the best way ? Is the keystore/Keychain secure ? Am I missing something ?

    非常感谢，

    问候

    推荐答案

    钥匙串是您设备上最安全的地方.您可以添加越狱检测措施以提高安全性，并在检测到越狱时从钥匙串中删除令牌并从内存中清除它(混淆此代码).至于令牌，我会在后端生成它并将其作为身份验证调用响应传递回客户端.如果用户选择使用双特征提示进行访问，则将其存储在钥匙串中.然后，对于每次调用，您都会将此令牌添加到请求标头中.这就是后端识别您的方式.

    Keychain is the most secure place on your device. You can add jailbreak detection measures to improve security and delete the token from keychain and clear it from memory when you detect jailbreak (obfuscate this code). As for the token, I would generate it on the backend side and pass it back to the client as the auth call response. Then store it in the keychain if the user chooses with bimetric prompt for access. Then for every call, you would add this token to the request header. That's how the backend identifies you.

    这篇关于生物认证实施的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！