Quick guide on Local Authentication for iOS

Apple's Local Authentication framework allows us to use biometric authentication like Face ID or Touch ID in our applications to give users a secured access to sensitive data.

Let's look at how this works.

Checking if biometry is available

Depending on the device and the user's settings, we may or may not be able to use biometric authentication. So as a first step, we always should call the canEvaluatePolicy method on the LAContext object.

var context = LAContext()
var error: NSError?

guard context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error) else {
    // no biometry, provide fallback
    return
}

Capture HTTP(s) traffic with Proxyman

Proxyman - Your ultimate man-in-the-middle proxy to effortlessly capture, inspect, and manipulate HTTP(s) traffic on macOS, Windows, iOS, and Android devices.

Get started for free

The biometry type

In case the method canEvaluatePolicy returns true, we may want to know which biometry type is supported by the device before evaluating, for example to provide a slightly different UI for each case. For this case, LAContext provides the biometryType property.

switch context.biometryType {
    case .faceID:
        // The device supports Face ID.
    case .touchID:
        // The device supports Touch ID.
    case .none:
        // No biometry type is supported.
}

Beware, biometryType only contains the right value after running the canEvaluatePolicy(_:error:) method.

Starting the biometry authentication

To start the biometry authentication, we can now call the evaluatePolicy method.

context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason) { (success, error) in
    DispatchQueue.main.async {
        if success {
            // successfully authenticated
        } else {
            // handle error
        }
    }
}

For Face ID, we need to add the NSFaceIDUsageDescription key in the app’s Info.plist file. The value is presented to the user when our app attempts to use Face ID.

For Touch ID, the system presents the localizedReason parameter that we passed into the evaluatePolicy method.

And that's basically it. If the evaluation completes with a success, we now can give the user access to sensitive data or features.

Providing fallback

There are many reasons why an authentication might fail. For example if the user's device doesn’t have Touch ID or Face ID, the user cancels the authentication, has no biometrics setup or no passcode set.

In a real-world app, it's good practice to provide a fallback if that happens for example by asking for a username and password.

Testing the authentication on a simulator

To test the authentication flow, we don't necessarily need a device. We can simulate success and failure directly in simulator by choosing Features -> Face ID in the menu and then selecting the behaviour we want to simulate.

Behind the scenes

The iOS app never gains any access to the actual authentication data like fingerprint images. It is stored by an isolated security processor called Secure Enclave, which manages this data out of reach even for the operating system.

So when we ask the Local Authentication framework to evaluate, the framework asks the Secure Enclave to carry out the operation. Afterwards, we only receive a Boolean result and an optional error indicating success or failure.

Capture HTTP(s) traffic with Proxyman

Proxyman - Your ultimate man-in-the-middle proxy to effortlessly capture, inspect, and manipulate HTTP(s) traffic on macOS, Windows, iOS, and Android devices.

Get started for free