Im working on an app that requires a PIN to allow certain tasks (purchasing, dealing with credit cards, etc). I would like to add the ability to use biometrics.
I want to be able to ask for permission to use the biometrics without actually authenticating anything the first time.
for example, the flow would be as follows:
- user logs in
creates a PIN
App asks if they would like to use biometrics in the future
next time when PIN is required, authentication prompt appears.
the current flow:
user logs in
creates a PIN
App asks if they would like to use biometrics in the
future
next time when PIN is required, OS prompt appears asking if
user is ok with app using biometrics.
THEN
authentication prompt appears.
Ive played around with react-native-touch-id, react-native-biometrics and a few others.
I know i could have it triggered when i first ask to set the PIN but the system prompt options are not customizable.
Thank you for your input!
Related
Regarding the MediaDevices API.
(https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia)
I know I need permission to use a media device to capture video, however I am not sure if I need to request permission multiple times in order to capture videoshots at regular intervals or just the one time at the start?
In other words, when does the permission expire? When the stream is closed, browser is refreshed or something else?
Can I use the initial permission to capture subsequent videoshots or do I need permission for each videoshot I intend to capture.
The browser continues to store the settings for device access, so you only need to approve it the first time. Unless you reset the settings yourself.
For example in chrome, you can check the permission of the site at the address below.
cam : chrome://settings/content/camera
mic :chrome://settings/content/microphone
According to getUserMedia docs:
First, getUserMedia() must always get user permission before opening any media gathering input such as a webcam or microphone. Browsers may offer a once-per-domain permission feature, but they must ask at least the first time, and the user must specifically grant ongoing permission if they choose to do so.
So we can see that the user must explicitly choose to grant the ongoing permission option from the pop-up, otherwise, it's going to ask every time.
The permissions pop-up and default selections may vary between browsers though, but they all support this feature.
I decided against using the native browser APIs directly, opting instead to use a service like Twillio to handle video capture AND recording. Once we have the recording I intend to chop it up to get a series of screen shots that summarize the video. This is not in realtime and does not need to be for my application.
Many websites now support 2FA and many of them ask users to use an App for the OTP. From the tool I use, like 1password, it seems the OTP is updating all the time regardless to I have logged in the website or not. My question is, since the OTP is always there, why it is split into a standalone step to enter the code instead of asking users to enter it along with the username and password?
Using Parse.com, I want my users to login only with their phone number, just like WhatsApp.
Enter your phone number, get a verification code by SMS, enter the code - you are logged in and stay logged-in!
I can see how I can use Twilio to send a verification code.
My problem is how to tie it in with the Parse authentication framework.
When to use signUp vs login?
What is the password?
What to do the second time the app is launched?
What to do when the application is re-installed?
I don't think you should use the predefined Signup and login classes provided by parse as they do not allow you to create a user without a password,
Nor should you use the Anonymous Users as the data will be lost once the user sign out/uninstall.
For Signup, Use another object to store the numbers , Implement a onSave hook in cloud code to ensure that all the username"phone nos" are unique during Signing in.
For each device, perform an OPT(one time password) to the phone of the user by using the installation class's id
Perform a query and load the data connected to the number during Login
To keep the user logged in , use the local data store , pin a Boolean variable that indicates the status of a user, either logged in or out.
In the parse DB , You can use the phone num as the link to the other data of the user.
In this way, no password , only OTP
You will need to store something on the user settings/profile to pin that user, I do not recommend using a boolean but rather something that ties that device with the user so that if someone decides to copy that file and paste it into a rooted phone you will be able to determine if the app install corresponds to that user.
I would recommend using the a unique token to create a password for a user in Parse.com - you can use the token that RingCaptcha generates for this, ensuring it will never collide with other users and that every phone number will only be able to verify one time for each device. RC is a new service that helps you onboard verified users into your apps in seconds via SMS. Integration is a breeze with all the available plugins for web, APIs, and SDKs of all flavours.
[Disclaimer: I'm part of the team behind RingCaptcha]
I'm looking to write an app that disallows some of the password login options (picture pw or pin) at certain moments - for myself and security reasons.
Any ideas how one would go about finding the APIs to use that can be run when the computer is locked and disallow a specific login option ?
I checked all classes under Windows.Security.Authentication, Windows.System.UserProfile, and Windows.System.Profile, but didn't see anything to toggle those login options. There are method to set the bg pic under Windows.System.UserProfile.LockScreen, but that isn't what i'm looking for - just the ability to toggle the picture pw and pin options.
If you want to alter the login process I believe you have to implement your own custom credential provider. There is a sample in the Windows SDK on how to do this.
You can find more info on MSDN.
I am well aware of the security implications of this, so much so that I'm betting it doesn't exist, so before you call me crazy, that's why I'm asking.
I got really tired of having only my phone on me and installing a new app/whatever and finding myself needing to suddenly create a new application-specific password on the fly, and having to navigate Google's decidedly non-mobile-friendly security page to do that. I want to create an app of some kind that allows me to generate an application-specific password, whether by text or an Android app itself or something else. As I see it, there are two options here:
Use some Google Account Security API (if it exists) to create the application-specific password
Do scraping-type behavior (with proper credentials, of course) to automate its creation. I really don't want to do this.
Does anyone know (a) if this type of API exists, or (b) if there are any other ways to go about doing this? This app would be published on Github for self-hosting, obviously.
There is no official API to generate application-specific passwords.
I've solved this myself by doing a couple of things:
1) printing out the QR Code for the account that can be scanned by the Authenticator app in order to generate codes. I keep it secured in my desk. This allows me to reformat my phone without needing to turn two-step off each time.
2) use the browser sign-in for my Android device. When adding a Google account to an Android phone, just before the screen where you enter your username and password, click the menu button (or 3 dots on the screen if you have no menu button) and choose Browser sign-in. This allows you to login to an Android device with your username, real password and verification code rather than an application specific password.
This saves me from needing to generate application-specific passwords 95% of the time.
Jay