K
Kinde4w ago
anjup52

Biometrics with Kinde auth

Our project is currently using Kinde auth and trying to implement biometrics feature for the mobile application (basically website turned into mobile app by Median, so we are using Kinde's react package) Can you point me to the right guide or doc to implement this if Kinde does support this feature? Basically, we would need to sign in a user via post request or API call, without redirecting the user to the Kinde sign-in page so that the mobile can store the user's credentials. Thanks in advance for your help.
5 Replies
Claire Mahoney
Hi,

Thanks for reaching out. Kinde’s authentication system operates through OAuth 2.0 flows, which means it requires redirecting users to Kinde’s hosted authentication pages. Direct API authentication without redirection isn’t currently supported, including biometric authentication. For React applications, Kinde provides a React SDK that uses the Authorization Code Flow with PKCE for secure authentication. While the mobile device may support biometrics for local security, authentication with Kinde still requires the standard OAuth flow. If you’re looking to implement biometrics, you’d need to handle it separately as an additional security layer within your app. Let me know if this answers your question or if you need more details
anjup52
anjup52OP4w ago
Thank you for replying soon. So, to reiterate, biometrics can only be implemented as another layer of security (like MFA) on top of the standard OAuth flow (authentication via redirection). Right?
Claire Mahoney
Hi, Yes, that's correct! Biometrics can be implemented as an additional security layer, similar to MFA, but it does not replace Kinde's OAuth-based authentication flow. Users will still need to authenticate via the Kinde sign-in page initially, and then you can use biometrics for subsequent local authentication within your app. Let me know if you need any further clarifications.
anjup52
anjup52OP4w ago
So, if I were to use biometrics for subsequent local authentication, should I have to prevent signing user out to avoid revoking the access token (that would be stored after the intiial sign-in)?
Claire Mahoney
Hi there, This is Patrick from Kinde. I am taking this over from Ages who is on leave for a few days. So for your question, I would say yes. For implementing biometric authentication with Kinde, here's what you need to know: 1. Token Management: - Access tokens contain access permissions for user authentication
(https://docs.kinde.com/build/tokens/configure-tokens/) - Refresh tokens are issued alongside access tokens and can extend a user's session without requiring reauthentication 2. Session Management: - You can maintain long-running sessions using refresh tokens by including the offline scope in your request
(https://docs.kinde.com/authenticate/manage-authentication/user-auth-applications/) - Kinde supports short-lived refresh and refresh token rotation for increased security 3. For your use case: - You can store the access and refresh tokens after initial OAuth authentication - Configure longer token lifetimes in your Kinde settings to maintain the session
(https://docs.kinde.com/build/tokens/configure-tokens/) - Use refresh tokens to maintain the session while implementing local biometric authentication 4. Important Security Considerations: - Token and session expiry should prioritize system and user security - Consider implementing refresh token rotation for additional security The documentation doesn't specifically address biometric authentication implementation, but based on the token and session management capabilities, you can implement it as an additional layer while maintaining the OAuth session through proper token management.
Please let me know if you have any questions or need further assistance.

Did you find this page helpful?