WhollySoftware
Back to blogMobile

Biometric Authentication Done Right on iOS and Android

Wholly Software TeamAugust 14, 20256 min read
Biometric Authentication Done Right on iOS and Android

Biometric auth demos well and breaks in the edge cases nobody tests: a user who re-enrolled a new face after surgery, a fingerprint sensor with a wet screen, an Android device with no biometric hardware enrolled at all. We now build the fallback path first and treat Face ID or fingerprint as an enhancement on top, not the primary flow.

On iOS we use LocalAuthentication's LAContext with a deliberate policy check before even attempting evaluation — checking canEvaluatePolicy for deviceOwnerAuthenticationWithBiometrics separately from deviceOwnerAuthentication lets us distinguish 'no biometrics enrolled' from 'biometrics enrolled but temporarily locked out' and show the user an accurate message instead of a generic failure.

Android's fragmentation is the real challenge. BiometricPrompt is the right modern API, but we still see devices — mostly budget Android phones from smaller OEMs — where the biometric hardware reports as available but fails intermittently. We wrap every BiometricPrompt call with a maximum of two retry attempts before automatically falling back to the device PIN/pattern, rather than letting users get stuck retrying a sensor that isn't going to succeed.

For anything tied to sensitive actions — unlocking a banking app, authorizing a payment — we never treat a successful biometric check as sufficient on its own. We pair it with a cryptographic key stored in the iOS Keychain or Android Keystore, generated with biometric-gated access control (kSecAccessControlBiometryCurrentSet on iOS, setUserAuthenticationRequired on Android), so a biometric bypass at the OS level can't be used to extract a session token directly.

One client initially wanted biometric re-auth on every app foreground, which usability testing showed was actively annoying for a low-risk content app. We scoped it down to only gate specific sensitive actions — viewing payment details, changing account settings — and left general app access on a normal session timeout. Matching biometric friction to actual risk, rather than applying it uniformly, made both the security team and the users happier.

SecurityiOSAndroidAuthentication
Biometric Authentication Done Right on iOS and Android — Wholly Software