Search code examples
iosauthenticationhashofflinekeychain

KeyChain security vs hash-salting mechanism, which is better?


Developing an enterprise iOS 7 mobile application, currently the user gets authenticated using his credentials (username and password) to dedicated Server.

But we need to provide offline authentication as well, as network connectivity is a major issue.

So one way is:

  1. For the very first login time, the user must be in online mode
  2. The user gets authenticated.
  3. Cache the password hashes in iOS app
  4. If offline mode verify with the hash.

Is this approach fine? OR

  • Just utilize iOS Keychain functionality to store the password is better approach?

Solution

  • I would recommend to use the KeyChain. It is a bit more difficult than storing it in your App folder but it is a lot more secure.

    The KeyChain will handle all of the encryption for you and will provide you with options on what will happen to your data when the device is restored and place conditions on when the data is accessible (e.g only for unlocked devices).

    If you're developing more than one app you can use the KeyChain to share information between apps. One thing to keep in mind is that the KeyChain retains information even after app removal, unless you remove it.

    An easy way to get started is to use CocoaPods in your project and do a search for KeyChain pods.

    One question to you: do you really need to re-authenticate (offline) after the first login? If you do it might be more userfriendly to ask for a pin (which you can store in the KeyChain).