I have an expo (react-native) app and use the expo-local-authentication library to authenticate users to the app.
My current flow looks like this:
At first login, when the user logs into the app or signs up, I store the username and password in expo-secure-store.
Once the user session expires, and the user clicks the button that says "Login with Biometrics", I look into the secure store and see if there is a previously stored credential (username and password), then I authenticate the user with those credentials, and get the authentication token. The authentication token is then used to call other endpoints.
One user reported the following issue with this:
User A logs into the app for the first time. Their username and password (usernameOfA, passwordOfA) gets stored in the secure store.
The next time User A logs into the app with biometrics, we use their stored credential to log in, which works as expected.
Let's say, User B logs into the app from the same device as User A. Now, the username and password (usernameOfB, passwordOfB) gets stored in the secure store and replaces the credential of User A.
User B does their thing and logs out of the app. But here our secure store still has the credential of User B.
When User A comes back and logs in to the app with their biometrics, because credential of User B is still stored in our secure store, the account of User B gets logged in, instead of User A.
PS.
We could remove the username and password of user from the secure store when the user logs out of the app, but we want users to be able to login again with biometrics even after they logout of the app.
Also, we logout user everytime they close the app, so if we remove the credential on every logout we wouldn't be able to login user with biometrics the next time.
I seem to have not understood the flow of implementing biometrics. What other information should I include to distinguish the correct user is logging in to the app? Or is there a different way to authenticate users with biometrics? I am looking to understand more about the flow and would appreciate any recommendations or resources. Thank you.
Related
Setup Overview
I am using B2C custom policies for sign-in flow in react application using msal-react and msal-browser packages. The user is able to log in properly for the first time after entering credentials. Now when the user clicks logout, B2C logout popup shows up and it goes away instantly without asking the user to choose an account which is expected because the user is signed in with only a single account. The user is redirected properly.
Doc followed - [https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/logout.md
Issue
After successful logout, which seems to be happening properly as the UnAuthenticated template executes after login. When the user presses login again, it does not ask for any credentials, and user is signed in again which is a security issue. I am not sure what am I missing now. I have gone through all the MS docs multiple times and GitHub issues but did not find a solution
Flow:
Before First login - Session Storage and Cookies are empty,
After login - Session Storage has values and Cookies have 2 entries - x-ms-cpim-sso and x-ms-cpim-csrf
After logout - Both are cleared with no values
Click login again, values from step 2 come back in. But if you don't click login and try different app routes, it shows Unauthenticated template which has login button. So seems like user was correctly logged out
A few questions and helpful information
Is azure ad B2C considered as social sign in (federated entity) or is it considered a local account like Azure AD
I have read here that it does not assume logout from social IDP but I am not using anything other than B2C. In this GitHub, it also mentioned it is expected behaviour but how do I logout properly so that user is asked for credentials again. [https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/2547
After pressing logout, if user is signed out from B2C as the app executes Unauthenticated template instead of Authenticated, how is it able to sign in again without any credentials.
Please guide me to solve this issue
The "passwordless login" term may not be accurate, but I don't know how to describe it. What I mean by that is a login that you see on a lot of fintech/crypto apps. Basically, the app has 4-digit local PIN (that's never sent to the API) and with this PIN, the long-lived refresh_token is encrypted.
The PIN is only remembered in the user's brain. So, next time you open the app, you just type your 4-digit PIN for login (or biometry), and the app will use refresh_token from there.
Question: Which OAuth flow would be appropriate for this? It seems that for login they all want password or show a prompt for the username/password. Or, they redirect to webpage which is not an option for mobile app.
What I need is some kind of request, that's only used when signing up, where I only send email (without password) and I get a long-lived refresh_token for that user. From there I can just refresh that same token over and over.
I am not able to find proper documentation on how to get started with the scenarios below:
Forgot password. I have setup the reset password policy in Azure AD B2C and the user can click Forgot Password which redirects the user to a controller action in my app. But I'm not really sure what to do from here.
Reset password from user profile in my app. In my app, I would like the user to be able to click "Reset Password" which would redirect the user to having their password reset.
For both of the scenarios above, I would like Azure AD B2C to handle the password reset by asking the user for their email and then emailing them the password reset link and then handling the password reset appropriately. How can I do this?
There are two use cases for password reset:
If you click on the link in the signup / signin page, you get the error code AADB2C90118 which is returned to your application. Your application then needs to run a specific user flow that resets the password. Refer a simple ASP.NET sample that demonstrates the linking of the user flows.
If the user has already signed in, you can simply provide a link. This link invokes the password reset policy that is configured on the B2C side.
Is there a setting, either in Google projects or in Firebase databases for specifying that unauth should not cache user credentials? One I have logged into my app via the Firebase Google authentication, calling unauth() does not permit me to log in again with a different account. An attempt to login after that immediately logs in with the old credentials without asking for a new username and password. Closing and reopening the browser after the logout didn't help.
Firebase doesn't have access to your credentials when you use its Google authentication. Instead it uses OAuth to create a relationship between the Google account and your application.
When you call unauth Firebase expires the token that is part of the current session. But it does not remove the relationship between the Google account and your application. That's why you "automatically" get a new token when you call auth... next time.
It is up to each individual user to revoke the rights, which in the case of a Google account they can do at the Account Permissions page: https://security.google.com/settings/security/permissions
I want to know what are the best practices, when using Worklight:
To Logout
To Maintain the user logged in, after application relaunch.
To login a user directly after an account creation
I am using Worklight 6 authentication, with a custom login module, for an Hybrid App (HTML5)
If there is a sample doing all these feature, it will be great, otherwise, any code snippets and advices should help me.
Thanks
Can't exactly say that these are 'best practices', but this is what I would do in these situations:
To Logout
Don't have much to say here. Clear anything and everything that the user could use to access resources on the server, including cookies. As you probably know, the login modules come with a logout function call where you can perform these operations.
To Maintain the user logged in, after application relaunch
After the first login, use some local storage mechanism, such as JSONStore, in order to save the credentials. JSONStore can encrypt all data saved locally as well. When the user starts the app, instead of prompting for login credentials, check the local storage to see if the credentials already exist and then send them to the server to log in.
To login a user directly after an account creation
I'd use a similar approach as above. When the user sends their account information to the server, save it to local storage. If the account creation was successful, then the server can send a success response to the client which can then automatically send the credentials back to the server to log them in. If the server sends a failure response, then the credentials should be deleted from the local store and the user will be prompted to try to register again.