Mobile App Enablement
Implementing strong, simple, and scalable authentication in your mobile app is easy using the Nok Nok Labs App SDK. You can incorporate the App SDK into your mobile app to support standards-based FIDO authentication on over a billion Android and Apple devices. The App SDK supports FIDO-Certified biometric authenticators including fingerprint, voice and face biometrics, as well as non-biometric authenticators, such as PIN.
The App SDK takes advantage of available secure hardware, such as Trusted Execution Environments (TEE), Secure Elements (SE) and Trusted Platform Modules (TPM) to protect the cryptographic keys used for authentication. The App SDK delivers on-device authentication and enables a mobile app to provide out-of-band authentication for access initiated from a second device.
With the App SDK, your App uses a simple set of APIs for all forms of authentication. While FIDO supports any mode of authentication such as fingerprint, voice, or PIN, your app does not need to hardcode a specific approach to authentication. Instead, you can centrally manage a policy on the server to specify the exact form of authentication allowed.
How does it work?
The first step is to have the user register an authenticator. The server is configured with a policy that specifies what forms of authentication are allowed. For example, you may decide to allow only fingerprint authentication, or you could specify that fingerprint or PIN is allowed. Since you don’t hardcode the authentication in your app, the code becomes a lot simpler. You just need to add a call in your app to trigger the registration process. For example, on Android, it would look like this:
Notice the code does not reference the type of registration, as that is controlled and enforced by the server policy. The first parameter to the register method is the current Android Activity, which is the Java object that manages the current screen. The second (and optional) parameter is a login session object. Typically, registering a credential requires that you be logged in, and the login state is verified by checking this session object.
Once a user is registered, they can authenticate using the credential instead of a password:
The APIs are similar on iOS.
Below you can see what this looks like in a mobile app. It shows a user logging into a banking app with username and password. Then they register a FIDO credential and log out. Next they log in using just the FIDO credential.
Note that you can also set up accounts using just a FIDO credential and eliminate any need for a password.
Instead of hard-coding the type of authentication in your app, you set the policy on the server. The policy specifies a set of Authenticator Attestation ID (AAIDs) to indicate precisely which authenticators are allowed:
This means you don’t need to change your App to support new types of authentication as they become available.
How much work is this?
Because the authentication type is not hard-coded in your app, the App SDK can handle the heavy lifting. Thus with very few lines of code, it is possible to integrate FIDO authentication typically in just a few hours.