The State of Biometrics

Biometric authentication has moved from a premium feature to a standard expectation. Users prefer the speed of FaceID or Fingerprint scanning over typing complex passwords. However, biometrics shouldn't be the sole mode of authentication; they act as a convenient wrapper around a secure token or secret stored in the device's hardware-backed keystore.

iOS LocalAuthentication

On iOS, use the LocalAuthentication framework. Check for availability using canEvaluatePolicy with .deviceOwnerAuthenticationWithBiometrics. Provide a clear reason string for the usage description in Info.plist. Always handle the various error codes like user canceled, lockout, or biometrics not enrolled.

Apple's Secure Enclave ensures that biometric data never leaves the device and isn't accessible to your app or the OS.

Android BiometricPrompt API

Android 10 (API 29) introduced BiometricPrompt to unify fingerprint, face, and iris scanning. For backward compatibility, use the Biometric Library from Jetpack. Define the PromptInfo with a title and a negative button (e.g., "Use Password"). The system handles the UI, ensuring a consistent and trusted experience across different manufacturer devices.

Secure Fallback Strategies

Biometrics can fail due to environment (lighting, gloves) or system lockout (too many failed attempts). Always provide a fallback to a PIN, pattern, or the main account password. This ensures users aren't locked out of their accounts when sensors fail or when the device requires a primary credential after a reboot.

Encryption with Biometrics

For high-security apps, don't just check if authentication "passed." Use biometrics to unlock a cryptographic key in the Keychain (iOS) or Keystore (Android). This key can then be used to decrypt local sensitive data or sign a challenge from your server, proving that the physical owner is present.

User Experience Patterns

Don't force biometrics on every app open. Consider a "grace period" or only requiring it for sensitive actions like payments or profile changes. Allow users to toggle biometrics in settings. Clearly communicate why you are asking for it and what happens if it's disabled.

Security Best Practices

Always invalidate the session if the biometric set changes (e.g., a new fingerprint is added). For iOS, use evaluatedPolicyDomainState to detect changes. For Android, use setInvalidatedByBiometricEnrollment(true) on your secret key. This prevents an unauthorized person from adding their own biometric to an unlocked device and gaining access to your app.