I'm developing a mobile application with a dedicated server. In order for the user to access the home page, he must log in with his username and password. The server will verify the credentials and return access and refresh tokens. The refresh one will be stored in the "mobile secure storage".
When the user returns to the application, a /refresh api request is sent to the server to check the validity of the stored refresh token. If it's still valid, the user will receive access and be redirected to the home page automatically. If not, he will have to log in again. Nothing special so far.
I'd like to propose in the settings to add fingerprint biometrics or PIN as an additional security check. I wonder if I can do that without any server interaction:
- User opens the app
- /refresh is sent
- If invalid, go to login page
- If valid
- Check fingerprint with a frontend library (or PIN)
- If valid go to home page
- If invalid, repeat 3x, then go to login page
- Check fingerprint with a frontend library (or PIN)
See Sequence diagram if it can help.
Is it correct in terms of architecture, or is it completely cheated or a bad way to do it ?
Note that if the user chose PIN as the second authentication, I would make an api request, as the PIN would be stored in the database. I wonder if I should do the same for the fingerprint but how to store a fingerprint, and, even worse, how to compare it on the server side ?
Thanks for your help!
I haven't implemented anything yet, I need feedback on architecture level about the conception.
To verify that a fingerprint belongs to a user you would need the user data to compare against. This means you will need to send it to the front end.
You can't keep this data secret because, at this point the user identity is not confirmed (that is why you need the fingerprint in the first place)
So, I would say a safer way is to capture the input data in the front end (the fingerprint) but the data to compare against in the back-end (non public)