DESIGN AND THREAT MODELING • DATA STORAGE AND PRIVACY • CRYPTOGRAPHY • AUTHENTICATION AND SESSION MANAGEMENT • NETWORK COMMUNICATION • ENVIRONMENTAL INTERACTION • CODE QUALITY AND BUILD SETTINGS • RESILIENCY AGAINST REVERSE ENGINEERING https://github.com/OWASP/owasp-masvs
before accessing remote resources • Authentication is enforced by the remote endpoint • Secure session ID and access token • Access token should expire • Logout • Password policy • Throttling
reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id
reason ) { success, error in if success { // Move to the main thread because a state update triggers UI changes. DispatchQueue.main.async { [unowned self] in self.state = .loggedin } } else { print(error?.localizedDescription ?? "Failed to authenticate") // Fall back to a asking for username and password. // ... } } https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id WARNING
PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
PIN, OTP) • Something you have (phone, SIM card, USB token) • Something you are, something physically unique for you (fingerprint) 2SV - TWO STEP VERIFICATION AUTH FACTORS
LOGIN ACTIVITIES WITH THEIR ACCOUNT. USERS ARE ABLE VIEW A LIST OF DEVICES USED TO ACCESS THE ACCOUNT, AND TO BLOCK SPECIFIC DEVICES. LEVEL 2 TRACK LOGIN ACTIVITY
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md Apple Platform Security Guide https://support.apple.com/en-gb/guide/security/welcome/web WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html