status-mobile icon indicating copy to clipboard operation
status-mobile copied to clipboard
verified publisher icon status-im

Enable biometrics from settings without password

Open clauxx opened this issue 1 year ago • 6 comments

Bug Report

Problem

Follow up to https://github.com/status-im/status-mobile/pull/18258

Currently, when enabling biometrics from the password settings, the user is prompted to enter their password, which is different from the figma user flows.

This is necessary due to us using having to store the password in the keychain so that during the log-in flow, the successful biometrics check would log the user in with the keychain password. One way to avoid that is to always store the password during onboarding, not only if the user enables biometrics, and never delete the password from the keychain (currently we delete it when disabling biometrics and when logging out).

This could have security implications, so it should be discussed with the design team and the CCs (in the discord #biometrics channel).

Expected behavior

The password is not prompted when the user enables biometrics in the password settings

Actual behavior

The password is prompted when the user enables biometrics in the password settings

clauxx avatar Mar 04 '24 10:03 clauxx

@clauxx could you please elaborate, i see the password in figma image

https://www.figma.com/file/JlpPhJp0SMnEyBQy4nOZHo/Settings-for-Mobile?type=design&node-id=7212%3A149947&mode=design&t=JDdq7AtuF6AICoJX-1

flexsurfer avatar May 13 '24 08:05 flexsurfer

@flexsurfer we adapted the designs to include the password cause it was easier/quicker at the time, but originally it wasn't there. It was needed because the password was necessary for enabling the biometrics and we didn't want to make all users store it in the keychain, hence we're prompting the user every time. Here we should find a way to do it without (i guess storing the hashed password in the keychain when the user adds the password during onboarding)

CC @cammellos

clauxx avatar May 13 '24 08:05 clauxx

thank you, then we should descope it from release I guess

flexsurfer avatar May 13 '24 08:05 flexsurfer

This is not exactly a very frequent action; usually biometric is enabled in onboarding so I would keep password for enabling onboarding from settings for security reasons

flexsurfer avatar May 13 '24 08:05 flexsurfer

@churik should we remove this from 2.29?

flexsurfer avatar May 13 '24 09:05 flexsurfer

removing from milestone

cammellos avatar May 15 '24 08:05 cammellos

I'm closing this issue as not planned because this issue is not a bug, but rather a potential feature (although questionable due to security implications as already mentioned).

ilmotta avatar Oct 08 '24 07:10 ilmotta