Offline App Authentication

TL;DR

Apps needing user logins without internet access require local authentication methods. Options include storing hashed passwords locally (less secure), using pre-shared keys, or employing a self-contained identity provider like WebAuthn with a locally managed key store.

1. Understanding the Challenge

Traditional app authentication relies on servers to verify usernames and passwords. When an internet connection isn’t available, this doesn’t work. You need solutions that operate entirely on the device.

2. Local Password Storage (Not Recommended)

This is the simplest but least secure option. You store a hash of the user’s password on the device.

• How it works: When the user registers, you hash their password using a strong hashing algorithm (e.g., bcrypt, Argon2). During login, you hash the entered password and compare it to the stored hash.
• Risks: If the device is compromised, the attacker gains access to all stored passwords. Also vulnerable to rainbow table attacks if not salted correctly.
• Example (Python):

  import bcrypt
  
  hashed_password = bcrypt.hashpw(b'mysecretpassword', bcrypt.gensalt())
  print(hashed_password)
  
  if bcrypt.checkpw(b'mysecretpassword', hashed_password):
    print("Password matches!")
  else:
    print("Incorrect password.")

Strongly advise against this method unless absolutely necessary and combined with other security measures.

3. Pre-Shared Keys

Suitable for apps where you control all devices (e.g., internal tools). Each user has a unique key pre-configured on their device.

• How it works: The app prompts the user to enter their key during setup. This key is then used for authentication.
• Advantages: Simple to implement, no password storage required.
• Disadvantages: Key management can be difficult at scale. Security relies on keeping keys secret.

4. WebAuthn (FIDO2) with Local Key Store

The most secure option for offline authentication, but more complex to implement.

• How it works: WebAuthn allows users to authenticate using cryptographic keys stored on their device (e.g., fingerprint scanners, security keys). You need a WebAuthn library that supports local key storage.
• Steps:
  1. Registration: The app generates a new key pair and stores the private key securely on the device using the operating system’s key store (e.g., Android Keystore, iOS Keychain). The public key is stored by the application.
  2. Authentication: The app challenges the user to authenticate with their registered key. The OS handles the cryptographic operations without exposing the private key.
• Libraries: Several WebAuthn libraries support local key storage, such as WebAuthn4J (Java) or platform-specific APIs.

5. Considerations for All Methods

• Key Protection: Protect the storage of any keys or hashes used for authentication. Use operating system features designed for secure key management.
• Brute Force Attacks: Implement rate limiting to prevent brute force attacks, even with local authentication.
• Device Security: The security of your offline app depends on the security of the device itself. Encourage users to use strong device passcodes and keep their devices updated.
• Data Encryption: Encrypt any sensitive data stored locally.