0

I want to enable auto login for a user into my android application.

Also, I do not want to store user token / user password into keystore / any other storage.

Suppose user logs in into the application for the first time then I am enabling fingerprint authentication and storing username into application storage. If user kills the application then for next launch, if the user authorizes fingerprint then I want to send username and some device specific authorization to the server to get the latest token.

So which one is the better approach to authorize a user for the second time (without password)? Is there anything I can use from following which can be a better approach:

  1. Sending device id to server for the first login and from second time onward authorizing a user with a user id and the device id...
  2. Storing encrypted username & password in device storage and key in keystore and on fingerprint authorization sending decrypted username & password to the server for getting access token.

Or any other approach for authorizing the user in an efficient manner? Which is the preferred approach used by most of the banking applications to authorize user without asking for password multiple times?

MLavoie
  • 9,671
  • 41
  • 36
  • 56
Pratik Kulkarni
  • 9
  • 6
  • I think the first option is a pretty good one, that way you don't need to save a password while still getting some good security. Make sure that, if the password is changed, the user needs to login with the password first before doing the "quick login" again – Dennis van Opstal May 18 '18 at 10:58
  • @Dennis: Yes. Thanks for your input. Further I was thinking that, is there any more secure approach than what I am thinking. Whats the more appropriate approach used my banking applications? – Pratik Kulkarni May 18 '18 at 11:04

1 Answers1

-1

Here is an idea:

Use Shared Preference for auto login functionality. When users log in to your application, store the login status into sharedPreference and clear sharedPreference when users log out.

Example:

public class SaveSharedPreference 
{
    static final String PREF_USER_NAME= "username";

    static SharedPreferences getSharedPreferences(Context ctx) {
        return PreferenceManager.getDefaultSharedPreferences(ctx);
    }

    public static void setUserName(Context ctx, String userName) 
    {
        Editor editor = getSharedPreferences(ctx).edit();
        editor.putString(PREF_USER_NAME, userName);
        editor.commit();
    }

    public static String getUserName(Context ctx)
    {
        return getSharedPreferences(ctx).getString(PREF_USER_NAME, "");
    }
}

Now when you start the application first check:

if(SaveSharedPreference.getUserName(MainActivity.this).length() == 0){
     // call Login Activity
}else{
     // Stay at the current activity.
}

In Login activity if user login successful then set UserName using setUserName() function.

Here is a LINK with some extra info.

Dimitar Georgiev
  • 125
  • 7
  • I want to make the app more secure. Currently using shared preferences to store basic info but I don't want to store any user details on device except username. All the api requires token which has limited validity. So for every launch I need to get the latest token using some user and device specific attributes. – Pratik Kulkarni May 18 '18 at 11:01