Offline User Authentication

G5 Cyber Security

2 weeks ago

TL;DR

Authenticating users on devices without constant internet access (like iPads) requires a local authentication system combined with secure syncing when online. This guide covers using a combination of device biometrics/passcodes, locally stored credentials, and a robust API for synchronisation.

1. Choose an Authentication Method

Select how users will initially log in on the iPad:

Device Biometrics (Touch ID/Face ID): Most secure; relies on Apple’s security features.
Passcode: Simpler, but less secure than biometrics.
Username/Password (Local Only): Least secure for offline use; avoid if possible.

For this guide, we’ll assume using Device Biometrics as the primary method.

2. Local Credential Storage

You need a secure way to store user credentials on the iPad. Never store passwords in plain text! Use Apple’s Keychain:

Keychain Access: Provides encrypted storage for sensitive data like usernames, passwords, and API tokens.

import KeychainSwift
let keychain = KeychainSwift()
// Store username
keychain.set("username", forKey: "user_username")
// Retrieve username
if let username = keychain.get("user_username") {
  print(username)
}

Consider using a library like KeychainSwift to simplify Keychain interactions.

3. Implement Local Authentication

Use Apple’s LocalAuthentication framework:

Import Framework: Add LocalAuthentication to your project.
Context Creation: Create a LAContext object.
Evaluate Policy: Use evaluatePolicy() to prompt the user for authentication (biometrics or passcode).

import LocalAuthentication
let context = LAContext()
var error: NSError?
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics) {
  context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: "Authenticate to access the app") {
    (success, error) in
    if success {
      // Authentication successful!
      print("Authenticated successfully.")
    } else {
      // Authentication failed
      print(error?.localizedDescription ?? "Authentication Failed")
    }
  }
}

4. API for Synchronisation

Design a secure API endpoint to handle user authentication and data synchronisation when the device is online.

HTTPS: Always use HTTPS to encrypt communication.
API Tokens: Use short-lived, securely generated API tokens for authentication with your server. Store these in Keychain (see step 2).
Data Syncing: Implement endpoints for:
- User login/registration
- Data upload from the iPad to the server
- Data download from the server to the iPad

5. Offline Data Handling

The iPad needs to function even when offline:

Local Database: Store data locally using a database like Realm, SQLite or CoreData.
Queueing: Queue any API requests (sync operations) until the device regains internet connectivity.
Conflict Resolution: Implement logic to handle potential data conflicts when syncing offline changes with the server.

6. Background Sync

Periodically attempt to sync data in the background:

URLSession Configuration: Use a background session configuration for URLSession.
App Refresh Tasks: Leverage App Refresh tasks (if appropriate) to trigger syncing when the device is idle and connected to power/Wi-Fi.

7. Security Considerations

Keychain Protection: Ensure your Keychain access is properly protected with strong passwords and restrictions.
Data Encryption: Encrypt sensitive data stored locally, even within the database.
Token Management: Regularly refresh API tokens to minimize risk if compromised.
cyber security Best Practices: Stay up-to-date with current cyber security threats and best practices for mobile app development.