Access Mobile Applications with Biometric Verification
From this article we will discuss how you can leverage mobile devices capabilities to encrypt sensitive data using biometric technology, so that the biometrics can be used to let the users access the application on application resume. Please note that in this approach the authorization server doesn’t store any biometric information of the user or process them. Instead the application leverages the capabilities prodded through the mobile platform.
First the user will be authenticated with WSO2 Identity Server using either API based authentication or password grant type through native mobile application. Upon successful authentication the application receives an access token as well as a refresh token. The access token will have a short validity period and the refresh token will have a longer validity period.
Eg : Access token has 15 mins of validity and refresh token will have 30 days of validity.
The refresh token is used to get new access tokens. Access tokens allow your mobile app to make authenticated requests to your API, but are short-lived. As access tokens expire, the refresh token is used to obtain new access tokens.
By storing the refresh token on the device and encrypting it with a biometric challenge, you can safely keep the user signed in, but require the user to pass a biometric challenge to keep using the app. This means that the user must sign in with their password the first time, but can then use their fingerprint or face to unlock the app after that.
