I'm trying to use firebase email authentication and enable biometrics.
The solution I am able to come to is:
- enable biometrics and get the fingerprint token
- encrypt the user's
username+password with this token
- store the encrypted
username+password in app storage
- when user authenticates using biometrics, app decrypts stored
username+password and logs in firebase.
The issue is of-course the difficult choice of storing encrypted username+password locally.
Is there any better alternative like
- saving an encrypted firebase token instead of
username+password?
- saving the token in a server?
How do professional apps do it with firebase?
Use Symmetric & Asymmetric keys concept with Android keystore
Follow the Salesforce Mobile SDKs strategy in using the Android Keystore
(more details here:https://developer.salesforce.com/docs/atlas.en-us.mobile_sdk.meta/mobile_sdk/auth_secure_key_storage_android.htm)
To summarize the steps :
- The application upon installation and first run creates an asymmetric key pair and a symmetric key
- The application stores the asymm. keys in the Android Key Store. Key Store access is granted only when the user unlocks phone (e.g. w/ pin code or biometrics. this step is optional. you can do it without this step)
- The application encrypts the symmetric key with the public part of the asymm key pair and stores that in shared preferences
- It is the symmetric key that is used to encrypt/decrypt the Firebase token or username + password whichever you want to use
- To access the encrypted symmetric key, the app has to first obtain the private key from the Android Key Store, decrypt the symmetric key and then use it.