How do apps properly validate Face-id or biometrics before important actions on the backend?

Question

I have a theoretical question, how is a mobile app supposed to handle Face-id or biometrics being required before certain task.

Let's say a banking app asks for Face ID on iPhone before making a transaction. How is the backend supposed to validate it? What is the backend supposed to get? Some sort of token? Can you provide me with any implementation guidelines on that?

Update: I get that the backend does not validate it. But what is the security standard in that case, reauthenticate the user?

Answer 1

AUTHENTICATION

You could take a look at passkeys and the WebAuthn standard, where:

• The main credential sent to the server is a digital signature produced with strong asymmetric cryptography.
• The use of FaceID etc is a secondary authentication factor, mostly just to prove user presence and to help prevent automated attacks.

API ACCESS

Although a digital signature proves that the user authenticated, it can be useful if, after authentication, the app can also get an API credential for a high privilege business area.

Eg a banking app using OAuth 2.0 might operate like this:

• The app triggers re-authentication with a parameter like scope=payments.
• The authorization server presents passkey login forms to authenticate the user.
• The authorization server issues an access token with the requested scope - and perhaps a level_of_assurance claim representing the user's authentication strength.
• The API then has what it needs to decide whether to allow the high privilege operation.

SUMMARY

So there are a couple of backend concerns that you might separate:

• Server side validation to verify a proof of the user identity
• High privilege resource access afterwards