# Modules.Identity
Allows a Titanium application to use the iOS Touch ID / Face ID authentication mechanism.
# Overview
Touch ID / Face ID are security mechanisms that use biometric sensors to authenticate the user.
# Requirements
The Identity module is available with the Titanium SDK starting with Release 6.3.0. This module only works with devices running iOS 8 and later.
# Getting Started
Add the module as a dependency to your application by adding a <module>
item to the
<modules>
element of your tiapp.xml
file:
<ti:app>
<!-- ... -->
<modules>
<module platform="iphone">ti.identity</module>
</modules>
<!-- ... -->
</ti:app>
Use require()
to access the module from JavaScript:
var Identity = require('ti.identity');
The Identity
variable is a reference to the module. Make API calls using this reference:
Identity.authenticate({
reason: 'Verify to modify personal settings',
callback: function(e) {
Ti.API.info(e);
}
});
# Lifetime Notes (iOS-only)
The current context will, once evaluated, be used until it's instance gets released or invalidated. You can you use the Modules.Identity.invalidate method to force the user to be prompted every time a new authentication is triggered. On iOS 9 and later, this can also be called to cancel a current evaluation of an auth-context, e.g. to hide the auth-dialoag.
# Distinguish between Touch ID and Face ID
Use the Modules.Identity.biometryType to receive the currently used biometry type. See an example of using the property to create a personalized interface when using Touch ID and Face ID:
var authPhrase = 'Unknown';
if (TiIdentity.biometryType === TiIdentity.BIOMETRY_TYPE_FACE_ID) { // Face ID
authPhrase = 'Face ID';
} else if (TiIdentity.biometryType === TiIdentity.BIOMETRY_TYPE_TOUCH_ID) { // Touch ID
authPhrase = 'Touch ID';
}
# Face ID Requirements (iOS only)
For Face ID to work properly, you need to add a <key>
item to the
<plist>
element of your tiapp.xml
file:
<ti:app>
<!-- ... -->
<ios>
<!-- ... -->
<plist>
<dict>
<key>NSFaceIDUsageDescription</key>
<string>Why you need Face ID.</string>
</dict>
</plist>
<!-- ... -->
</ios>
<!-- ... -->
</ti:app>
# Native Keychain Integration
For more infos regarding the keychain integration, check the "KeychainItem" "documentation.
# Sample Application
The module contains a sample application in the
<TITANIUM_SDK_HOME>/modules/iphone/ti.identity/<VERSION>/example/
folder.
# Properties
# apiName READONLY
The name of the API that this proxy corresponds to.
The value of this property is the fully qualified name of the API. For example, Titanium.UI.Button
returns Ti.UI.Button
.
# authenticationPolicy
Sets the global authentication policy used in this Touch ID / Face ID context.
You should set this property before checking the availability or
starting the authentication. By default, AUTHENTICATION_POLICY_BIOMETRICS
will be used to authenticate using the Touch ID / Face ID sensor only. Using the
AUTHENTICATION_POLICY_PASSCODE
constant will still try to authenticate
with Touch ID / Face ID first and use the passcode as the fallback.
Default: Modules.Identity.AUTHENTICATION_POLICY_BIOMETRICS
# biometryType READONLY
Indicates the type of the biometry supported by the device.
This property is set only when isSupported succeeds for a biometric policy. The default value is BIOMETRY_TYPE_NONE.
Default: Modules.Identity.BIOMETRY_TYPE_NONE
# bubbleParent
Indicates if the proxy will bubble an event to its parent.
Some proxies (most commonly views) have a relationship to other proxies, often established by the add() method. For example, for a button added to a window, a click event on the button would bubble up to the window. Other common parents are table sections to their rows, table views to their sections, and scrollable views to their views. Set this property to false to disable the bubbling to the proxy's parent.
Default: true
# lifecycleContainer
The Window or TabGroup whose Activity lifecycle should be triggered on the proxy.
If this property is set to a Window or TabGroup, then the corresponding Activity lifecycle event callbacks will also be called on the proxy. Proxies that require the activity lifecycle will need this property set to the appropriate containing Window or TabGroup.
# Methods
# addEventListener
Adds the specified callback as an event listener for the named event.
Parameters
Name | Type | Description |
---|---|---|
name | String | Name of the event. |
callback | Callback<Titanium.Event> | Callback function to invoke when the event is fired. |
Returns
- Type
- void
# applyProperties
Applies the properties to the proxy.
Properties are supplied as a dictionary. Each key-value pair in the object is applied to the proxy such that myproxy[key] = value.
Parameters
Name | Type | Description |
---|---|---|
props | Dictionary | A dictionary of properties to apply. |
Returns
- Type
- void
# authenticate
Initiates the biometric authentication process.
A special note for Android:
When you call this method in Android, it will either authenticate the fingerprint or it will fallback to the device's password, pin or pattern which is the case when biometric means of identification is not available. If you provide an incorrect fingerprint and receive an error message "Unable to recognize fingerprint", do not call authenticate. Instead, get the user to try again. If you call authenticate, it will end up in a bad state. This flow will be improved in the next update for Android.
Parameters
Name | Type | Description |
---|---|---|
params | IdentityAuthenticationType | Dictionary of arguments passed to the method, e.g. the reason to autheicate and the callback. |
Returns
- Type
- void
# createKeychainItem
Create KeychainItem.
Parameters
Name | Type | Description |
---|---|---|
params | KeychainItemType | Dictionary of arguments passed to the method. |
Returns
- Type
- void
# deviceCanAuthenticate
Checks to see if device is configured for biometric authentication.
On Android this takes into account the authenticationPolicy
.
Example:
var Identity = require("ti.identity");
var result = Identity.deviceCanAuthenticate();
if (!result.canAuthenticate) {
alert('Message: ' + result.error + '\nCode: ' + result.code);
} else {
alert('Device can authenticate');
}
Returns
# fireEvent
Fires a synthesized event to any registered listeners.
Parameters
Name | Type | Description |
---|---|---|
name | String | Name of the event. |
event | Dictionary | A dictionary of keys and values to add to the Titanium.Event object sent to the listeners. |
Returns
- Type
- void
# invalidate
Invalidates the current biometric dialog.
The context is invalidated automatically when it is (auto)released.
This method allows invalidating it manually while it is still in scope. Invalidation terminates any existing policy evaluation and the respective call will fail with ERROR_APP_CANCELLED. After the context has been invalidated, it can not be used for policy evaluation and an attempt to do so will fail with ERROR_INVALID_CONTEXT.
See the "Lifetime Notes (iOS-only)" paragraph in the module paragraph for more infos.
Returns
- Type
- void
# isSupported
Determines if the current device supports Touch ID or Face ID.
This module is only supported on Android 6.0 or newer. So, this method always returns
false
on older versions of Android.
Returns
- Type
- Boolean
# removeEventListener
Removes the specified callback as an event listener for the named event.
Multiple listeners can be registered for the same event, so the
callback
parameter is used to determine which listener to remove.
When adding a listener, you must save a reference to the callback function in order to remove the listener later:
var listener = function() { Ti.API.info("Event listener called."); }
window.addEventListener('click', listener);
To remove the listener, pass in a reference to the callback function:
window.removeEventListener('click', listener);
Parameters
Name | Type | Description |
---|---|---|
name | String | Name of the event. |
callback | Callback<Titanium.Event> | Callback function to remove. Must be the same function passed to |
Returns
- Type
- void
# Constants
# ACCESS_CONTROL_AND
Constraint logic operation - When using more than one constraint, all must be satisfied.
# ACCESS_CONTROL_APPLICATION_PASSWORD
Security: Application provided password for data encryption key generation. This is not a constraint but additional item encryption mechanism.
# ACCESS_CONTROL_DEVICE_PASSCODE
Constraint - Device passcode.
# ACCESS_CONTROL_OR
Constraint logic operation - When using more than one constraint, at least one of them must be satisfied.
# ACCESS_CONTROL_PRIVATE_KEY_USAGE
Create access control for private key operations (i.e. sign operation).
# ACCESS_CONTROL_TOUCH_ID_ANY
Constraint - Touch ID (any finger). Touch ID must be available and at least one finger must be enrolled. Item is still accessible by Touch ID even if fingers are added or removed.
# ACCESS_CONTROL_TOUCH_ID_CURRENT_SET
Constraint - Touch ID from the set of currently enrolled fingers. Touch ID must be available and at least one finger must be enrolled. When fingers are added or removed, the item is invalidated.
# ACCESS_CONTROL_USER_PRESENCE
User presence policy using Touch ID, Face ID or Passcode. Touch ID / Face ID does not have to be available or enrolled. Item is still accessible by Touch ID / Face ID even if fingers are added or removed.
# ACCESSIBLE_AFTER_FIRST_UNLOCK
Item data can only be accessed once the device has been unlocked after a restart. This is recommended for items that need to be accesible by background applications. Items with this attribute will migrate to a new device when using encrypted backups.
# ACCESSIBLE_AFTER_FIRST_UNLOCK_THIS_DEVICE_ONLY
Item data can only be accessed once the device has been unlocked after a restart. This is recommended for items that need to be accessible by background applications. Items with this attribute will never migrate to a new device, so after a backup is restored to a new device these items will be missing.
# ACCESSIBLE_ALWAYS
Item data can always be accessed regardless of the lock state of the device. This is not recommended for anything except system use. Items with this attribute will migrate to a new device when using encrypted backups.
Value is a Number on Android, a String on iOS.
# ACCESSIBLE_ALWAYS_THIS_DEVICE_ONLY
Item data can always be accessed regardless of the lock state of the device. This option is not recommended for anything except system use. Items with this attribute will never migrate to a new device, so after a backup is restored to a new device, these items will be missing.
Value is a Number on Android, a String on iOS.
# ACCESSIBLE_WHEN_PASSCODE_SET_THIS_DEVICE_ONLY
Item data can only be accessed while the device is unlocked. This class is only available if a passcode is set on the device. This is recommended for items that only need to be accessible while the application is in the foreground. Items with this attribute will never migrate to a new device, so after a backup is restored to a new device, these items will be missing. No items can be stored in this class on devices without a passcode. Disabling the device passcode will cause all items in this class to be deleted.
Value is a Number on Android, a String on iOS.
# ACCESSIBLE_WHEN_UNLOCKED
Item data can only be accessed while the device is unlocked. This is recommended for items that only need be accesible while the application is in the foreground. Items with this attribute will migrate to a new device when using encrypted backups.
# ACCESSIBLE_WHEN_UNLOCKED_THIS_DEVICE_ONLY
Item data can only be accessed while the device is unlocked. This is recommended for items that only need be accesible while the application is in the foreground. Items with this attribute will never migrate to a new device, so after a backup is restored to a new device, these items will be missing.
# AUTHENTICATION_POLICY_BIOMETRICS
Device owner was authenticated using a biometric method.
A biometric authentication is required. If there are no biometrics available or not enrolled, policy evaluation will fail. If Touch ID / Face ID is locked out, passcode is required as the first step to unlock with Touch ID.
Touch ID authentication dialog contains a cancel button with default title
"Cancel" which can be customized using cancelTitle
property and a fallback
button with default title "Enter Password" which can be customized using
fallbackTitle
property. Fallback button is initially hidden and shows up
after first unsuccessful Touch ID attempt. Tapping cancel button or fallback
button causes evaluatePolicy call to fail, returning a distinct error code.
Biometric authentication will get locked after 5 unsuccessful attempts. After that, users have to unlock it by entering passcode.
# AUTHENTICATION_POLICY_BIOMETRICS_OR_WATCH
Device owner was authenticated using a biometric method or the Apple Watch.
# AUTHENTICATION_POLICY_PASSCODE
Device owner was authenticated by Touch ID or device passcode.
Touch ID or passcode authentication is required. If Touch ID is available, enrolled and not locked out, user is asked for it first, otherwise they are asked to enter device passcode. If passcode is not enabled, policy evaluation will fail.
Touch ID authentication dialog behaves similarly as the one used by
AUTHENTICATION_POLICY_BIOMETRICS
. However, instead of "Enter Password"
button there is "Enter Passcode" button which, when tapped, switches the
authentication method and allows users to enter device passcode.
Passcode authentication will get locked after 6 unsuccessful attempts with progressively increased backoff delay.
# AUTHENTICATION_POLICY_WATCH
Device owner was authenticated using the Apple Watch.
# BIOMETRY_TYPE_FACE_ID
The device supports Face ID.
Used as a return-value for biometryType.
# BIOMETRY_TYPE_NONE
The device does not support biometry.
Used as a return-value for biometryType.
# BIOMETRY_TYPE_TOUCH_ID
The device supports Touch ID.
Used as a return-value for biometryType.
# ERROR_APP_CANCELLED
Constant indicating that the app cancelled authentication.
# ERROR_AUTHENTICATION_FAILED
Constant indicating that the authentication was not successful.
# ERROR_BIOMETRY_LOCKOUT
Authentication was not successful, because there were too many failed biometry attempts and biometry is now locked. Passcode is required to unlock biometry, e.g. evaluating authenticate will ask for passcode as a prerequisite.
# ERROR_BIOMETRY_NOT_AVAILABLE
Authentication could not start, because biometry is not available on the device.
# ERROR_BIOMETRY_NOT_ENROLLED
Authentication could not start, because biometry has no enrolled identities.
# ERROR_INVALID_CONTEXT
Constant indicating that there is an invalid context.
# ERROR_PASSCODE_NOT_SET
Constant indicating that the passcode is not set for the device.
# ERROR_SYSTEM_CANCEL
Constant indicating that iOS cancelled authentication, for example, if another application enters the foreground.
# ERROR_TOUCH_ID_LOCKOUT DEPRECATED
DEPRECATED SINCE 10.0.0
This constant has deprecated in iOS. Use ERROR_BIOMETRY_LOCKOUT instead.
Constant indicating that Touch ID has locked out. Note: This constant has been deprecated for iOS 11 and later. Use ERROR_BIOMETRY_LOCKOUT for apps targeting iOS 11 and later.
# ERROR_TOUCH_ID_NOT_AVAILABLE DEPRECATED
DEPRECATED SINCE 10.0.0
Use ERROR_BIOMETRY_NOT_AVAILABLE instead.
Constant indicating that Touch ID is not available on the device. Note: This constant has been deprecated for iOS 11 and later. Use ERROR_BIOMETRY_NOT_AVAILABLE for apps targeting iOS 11 and later.
# ERROR_TOUCH_ID_NOT_ENROLLED DEPRECATED
DEPRECATED SINCE 10.0.0
Use ERROR_BIOMETRY_NOT_ENROLLED instead.
Constant indicating that Touch ID does not have any enrolled fingerprints. Note: This constant has been deprecated for iOS 11 and later. Use <Modules.Identity.ERROR_BIOMETRY_NOT_ENROLLED for apps targeting iOS 11 and later.
# ERROR_USER_CANCEL
Constant indicating that the user canceled authentication.
# ERROR_USER_FALLBACK
Constant indicating that the user tapped the fallback button to enter their passcode.