ShukaZuby’s blog
How to Properly Implement Face ID in Your App: Lessons from a Real-Life Testing Experience

How to Properly Implement Face ID in Your App: Lessons from a Real-Life Testing Experience

Shuka Zubaidat's photo
Shuka Zubaidat
·

5 min read

Face ID is one of the most innovative biometric authentication methods, providing users with both convenience and security. However, while testing an app recently, I noticed significant flaws in its Face ID integration that revealed potential security risks. These observations motivated me to write this article, highlighting best practices for implementing Face ID in your app effectively.

What I Observed While Testing the App

During my test, I noticed the following:

1. Face ID Logged Me Into the Wrong Account:

I logged into the app using another person’s credentials and activated Face ID. After logging out, I signed up for a new account using Google Authentication. However, when I logged out again and used Face ID on the login screen, the app logged me back into the first account (the one associated with someone else’s credentials). This showed that Face ID was not tied to specific account credentials.

2. Face ID Could Be Bypassed with Login Credentials:

If a hacker obtained my login credentials, they could access my account and enable Face ID for their own device. The app did not check whether the biometric data matched the account owner’s credentials, rendering Face ID useless as a security feature.

These flaws demonstrated that Face ID was not being used as an additional layer of security but merely as a convenience feature.

Best Practices for Implementing Face ID in an App

To avoid the issues I encountered, developers must follow best practices when integrating Face ID into their apps. Here are the key steps:

1. Tie Face ID to a Specific User Account

  • Ensure that Face ID is linked to the user’s account and not just to the device.

  • Each account should have its own biometric token. If the user logs out or switches accounts, Face ID should automatically reset, requiring re-registration for the new account.

  • Example: If User A logs out and User B logs in, Face ID should not automatically recognize User A’s face.

2. Treat Face ID as an Additional Layer of Security

  • Face ID should not replace the primary authentication method (e.g., password, PIN). Instead, it should work as a second factor for authentication.

  • Even if someone obtains login credentials, they should still need biometric verification to access the account.

  • Use multi-factor authentication (MFA) combining Face ID with other methods like one-time passwords (OTPs) or email verification.

3. Enforce Biometric Match for Account Ownership

  • When Face ID is set up, the app should confirm that the biometric data belongs to the current account owner.

  • If someone logs in with different credentials, disable Face ID or prompt the user to re-register it for the new account.

  • This prevents scenarios where hackers can log in using stolen credentials and set up Face ID on their own devices.

4. Automatically Reset Face ID on Logout or Account Change

  • Logging out of an account should automatically remove any Face ID links.

  • Switching accounts on the same device should prompt the app to invalidate the existing biometric association and require re-registration.

5. Regularly Verify the Biometric Token

  • Periodically check that the stored biometric token matches the account it is associated with.

  • If there’s a mismatch or if the account credentials change, disable Face ID and require the user to re-enable it manually.

6. Educate Users on Face ID Security

  • Inform users that Face ID is tied to their credentials and should not be used as the sole means of securing their account.

  • Encourage users to enable additional security measures, such as strong passwords and multi-factor authentication.

Steps to Securely Implement Face ID with NodeJS

As a backend developer, it’s your responsibility to handle the backend logic that ensures Face ID is properly integrated and securely linked to user accounts. Below are key steps to implement a robust system for Face ID, along with supporting code snippets.

1. Tie Face ID Tokens to Specific User Accounts

When Face ID is registered, the backend must store the biometric token and associate it with the authenticated user’s account.

Here’s an example of how to store the Face ID token securely:

Code Snippet: Save Face ID Token

Key Considerations:

  • Store the faceIdToken in your database in an encrypted format (e.g., using crypto or a library like bcrypt).

  • The token should only be valid for the user who registered it.

2. Reset Face ID on Logout or Account Switch

When a user logs out or switches accounts, invalidate the existing Face ID token.

Code Snippet: Invalidate Token on Logout

Key Considerations:

  • If multiple accounts are used on the same device, prompt users to re-register Face ID after switching accounts.

3. Verify Face ID for Every Login

When a user logs in, the backend should verify the Face ID token matches the one stored for that account.

Code Snippet: Verify Face ID Token

Key Considerations:

  • Ensure that the providedFaceIdToken is securely transmitted from the client using HTTPS.

  • Use libraries like jsonwebtoken or crypto to validate the token.

4. Implement Multi-Factor Authentication (MFA)

Face ID should work alongside other authentication methods (e.g., passwords or OTPs) to ensure additional security.

Code Snippet: Multi-Factor Authentication

5. Periodically Refresh Face ID Tokens

To maintain security, periodically invalidate and refresh Face ID tokens, especially after account changes (e.g., password reset).

Code Snippet: Refresh Face ID Token

6. Encrypt and Secure Face ID Tokens

To protect the Face ID token, always encrypt it before storing it in the database.

Code Snippet: Encrypt Face ID Token

Conclusion

Face ID, when implemented correctly, can be a powerful tool for enhancing both security and user experience. As a backend developer, your role in ensuring the secure implementation of Face ID is crucial to protecting users from vulnerabilities such as logging users into the wrong account or allowing hackers to bypass Face ID with stolen credentials. To prevent these issues, developers should tie Face ID to specific user accounts, treat it as an additional security layer, and reset it appropriately.

To further enhance security, follow these key principles:

  1. Tie Face ID to user accounts.

  2. Reset Face ID on logout or account switch.

  3. Verify Face ID tokens during login.

  4. Use Face ID alongside multi-factor authentication.

  5. Encrypt and secure Face ID tokens in the database.

By adhering to these practices, app developers can ensure that Face ID strengthens an app's security and protects user data, helping maintain trust as users increasingly rely on biometric features like Face ID.

Face IDbiometricsauthenticationauthorizationNode.jsSecuritysecuritytoken