Developer Pages

# Authentication methods

Page contents

# Overview

Encap supports several different authentication methods. Not every authentication method can be used on every platform.

Below you will find:

  • The supported authentication methods for iOS.
  • The names of the parameters that you need in order to activate and authenticate with these methods.

Available authentication methods

The number of authentication methods could be limited by:

  • The application configuration on the Encap server, identified by the applicationId.
  • The mobile device's hardware.
  • The mobile device's state.

The authentication parameter can be one of the following class types:

  • EncapDeviceAuthParameter
  • EncapDevicePinAuthParameter
  • EncapDeviceStrongTouchIDAuthParameter
  • EncapDeviceFaceIDAuthParameter

Each authentication parameter represents an authentication method, which is defined in the EncapAuthMethod enum:

  • EncapAuthMethodDevice
  • EncapAuthMethodDevicePIN
  • EncapAuthMethodDeviceStrongTouchID
  • EncapAuthMethodDeviceFaceID

Deprecation notice

  • EncapDeviceTouchIDAuthParameter is deprecated.
  • EncapAuthMethodDeviceTouchID is deprecated.
  • The TouchID authentication method is not recommended for use anymore. You should use StrongTouchID instead, which offers more security.

# Biometric authentication methods

You can find the biometric authentication methods available for iOS below:

Name Description
StrongTouchID
  • Data is stored using the kSecAccessControlBiometryCurrentSet flag.
  • The authentication method will be invalidated if fingers are added or removed in the Touch ID settings. This means that an error message is shown to the end-user next time they try to use the authentication method. It will be deactivated automatically and not possible to use before being activated again.
  • The device passcode is not a fallback.
FaceID
  • Data is stored using the kSecAccessControlBiometryCurrentSet flag.
  • The authentication method will be invalidated if the Face ID settings are changed. This means that an error message is shown to the end-user next time they try to use the authentication method. It will be deactivated automatically and not possible to use before being activated again.
  • The device passcode is not a fallback.

# Useful information

  • These methods will only be visible in the available/allowed list of authentication methods if they are supported and enrolled on the device.
  • Touch ID and Face ID authentication are disabled system-wide after five consecutive unsuccessful attempts, even when the attempts span multiple evaluation calls. When this happens, the system requires the end-user to enter the passcode for the device to re-enable biometry.

Learn more

You can read more about this topic in the Apple Developer Documentation (opens new window).

  • It is only only possible to have one online biometric authentication method activated for a registration. For example,StrongTouchID and TouchID cannot be activated at the same time.
  • StrongTouchID and FaceID are ideal to activate together with a PIN, so that they can be reactivated using the addOrUpdate method described in the Add or update section on the Core operations page if activation data is invalidated.

# Available/allowed authentication methods

When initiating an activation or authentication, the server provides you with a set of available/allowed EncapAuthMethod values to activate or authenticate with:

  • EncapStartActivationResult.authMethodsForActivation
  • EncapStartAddOrUpdateResult.authMethodsToActivate
  • EncapStartResult.authMethodsForAuthentication

If more than one method is available, then the developer or end-user may choose which method to use.

# Server configured authentication methods

The EncapAPI also returns a raw list of server-configured authentication methods during the initial activation and in AddOrUpdateAuthMethod results:

  • EncapStartActivationResult.serverConfiguredAuthMethods
  • EncapStartAddOrUpdateResult.serverConfiguredAuthMethodsToActivate

The format will be the same as the configuration on Encap Server, for example: DEVICE:PIN, DEVICE:STRONG_TOUCH_ID, DEVICE:IOS_FACE_ID.

It will also contain authentication methods for other platforms, such as Android.

Last updated: 11/04/2024 07:47 UTC

Account recovery