JULIA POTAPENKO Security Software Engineer at Cossack Labs with background in iOS app development Mobile/Security Lead at WWCodeKyiv Chapter Leader of OWASP Zhytomyr @julepka
SDLC SOFTWARE DEVELOPMENT LIFE CYCLE Requirements definition Design Development Testing Deployment Maintenance You are here MVP IN ONE MONTH WE HAVE NO TIME DOCS WILL WAIT WE ARE AGILE
OWASP MASVS 4.8 BIOMETRIC AUTHENTICATION, IF ANY, IS NOT EVENT-BOUND (I.E. USING AN API THAT SIMPLY RETURNS "TRUE" OR "FALSE"). INSTEAD, IT IS BASED ON UNLOCKING THE KEYCHAIN. LEVEL 2 BIOMETRICS UNLOCKING KEYCHAIN
let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id
let reason = "Log in to your account" context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id WARNING
let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator. kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .userPresence, nil) // Ignore any error.
let access = SecAccessControlCreateWithFlags(nil, // Use the default allocator. kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .userPresence, nil) // Ignore any error. .biometryCurrentSet
2FA - TWO FACTOR AUTHENTICATION • Something you know (password, PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
2FA - TWO FACTOR AUTHENTICATION • Something you know (password, PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
2FA - TWO FACTOR AUTHENTICATION • Something you know (password, PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
OWASP MASVS 4.11 THE APP INFORMS THE USER OF ALL LOGIN ACTIVITIES WITH THEIR ACCOUNT. USERS ARE ABLE VIEW A LIST OF DEVICES USED TO ACCESS THE ACCOUNT, AND TO BLOCK SPECIFIC DEVICES. LEVEL 2 TRACK LOGIN ACTIVITY
WHERE TO GO NEXT OWASP MSTG – Testing Local Authentication https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md Apple Platform Security Guide https://support.apple.com/en-gb/guide/security/welcome/web WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html