Fingerprint Authentication in Mobile Apps
Use Touch ID and Android fingerprint scanners through the official biometric APIs — never raw fingerprint data — for fast, friction-free auth.
Founder, Newly
Fingerprint authentication is one of the highest-trust UX moments in your app. Both iOS and Android wrap the underlying optical, capacitive or ultrasonic sensors behind a unified prompt that handles enrolment, fallback, secure storage and rate limiting for you. You never see raw fingerprint data — you only get a yes/no answer and (optionally) a secure key release.
Key Takeaways
- Use LocalAuthentication on iOS and BiometricPrompt on Android — never custom UI for biometrics.
- Touch ID lives on older iPhones, the iPad mini and several iPads; Face ID replaces it on most modern iPhones.
- On Android, in-display ultrasonic and optical sensors are the modern norm; rear/side capacitive on lower-end devices.
- Always offer a non-biometric fallback (passcode, pattern, password).
Fingerprint Auth at a Glance
What It Is & How It Works
What it is. A capacitive, optical or ultrasonic sensor that reads ridge patterns and matches them against templates stored in the secure enclave / TEE. Your app never receives raw images.
How it works. You call the system biometric prompt; the OS handles the sensor read and returns a result (success / fail / fallback). You can optionally tie it to a key in the keystore.
Units & signal. There are no raw units to consume — you receive an enum (success, failure, lockout, biometry-not-available, etc.).
What You Can Build With It
App login
Skip the password screen for returning users with biometric unlock.
Example: A banking app that asks for Touch ID after the first password login.
Sensitive action confirmation
Re-authenticate before transferring money or deleting data.
Example: A wallet app requiring biometrics before signing a transaction.
Password manager unlock
Gate the secret store behind a fingerprint prompt.
Example: A password app that locks after 60 seconds of inactivity.
Hardware-backed signatures
Tie a private key to the user's biometric so signatures require a fingerprint.
Example: A health record app that signs disclosures locally.
Permissions & Setup
Touch ID needs no permission key but always shows a system prompt. Android's BiometricPrompt is similarly self-mediated.
iOS · Info.plist
No Info.plist key required for Touch IDNSFaceIDUsageDescription if Face ID also possible
Android · AndroidManifest.xml
android.permission.USE_BIOMETRIC (auto-granted)
Code Examples
Setup
- Expo: `npx expo install expo-local-authentication`
- iOS: add NSFaceIDUsageDescription if you may also call Face ID
- Android: add USE_BIOMETRIC to AndroidManifest.xml (auto-granted)
import * as LocalAuthentication from 'expo-local-authentication';
export async function requireBiometrics(reason = 'Verify it\'s you') {
const hasHardware = await LocalAuthentication.hasHardwareAsync();
if (!hasHardware) return { ok: false, reason: 'no-hardware' as const };
const enrolled = await LocalAuthentication.isEnrolledAsync();
if (!enrolled) return { ok: false, reason: 'not-enrolled' as const };
const result = await LocalAuthentication.authenticateAsync({
promptMessage: reason,
fallbackLabel: 'Use passcode',
cancelLabel: 'Cancel',
disableDeviceFallback: false,
});
return result.success
? { ok: true as const }
: { ok: false as const, reason: result.error };
}Tip: With Newly, you describe the feature you want and the AI agent wires up the sensor, permissions, and UI for you. Try it free.
Best Practices
Always offer a non-biometric fallback
Cuts, dirt and gloves break fingerprint reads. Make sure passcode/password is one tap away.
Tie biometrics to keystore-backed keys
Don't treat the prompt as a "true/false" check; release a hardware-backed key so a successful prompt is cryptographically required.
Re-authenticate after long idle
Even with biometrics, force re-auth after a configurable timeout to limit "dropped phone" damage.
Detect newly enrolled fingerprints
Both platforms can invalidate keys when biometric enrolment changes — use this for high-risk apps.
Common Pitfalls
Building a custom biometric UI
Apple and Google reject this; the system prompt is mandatory.
Mitigation: Use only the official APIs and customise allowed text/labels.
No fallback path
A user with a wet finger or a worn-out sensor can't get in.
Mitigation: Always provide passcode/password as a backup auth method.
Treating biometrics as identity
Biometrics prove possession of an unlocked device, not identity.
Mitigation: Combine with server-side session tokens for true identity.
When To Use It (And When Not To)
Good fit
- Returning-user app login
- High-value action confirmation
- Unlocking a local password vault
- Hardware-backed signing or encryption
Look elsewhere if…
- First-time enrolment (need account creation)
- Cross-device identity (biometric is local only)
- Always-on auth for low-risk reads
- Replacing 2FA on highly sensitive accounts
Frequently Asked Questions
Touch ID or Face ID — how do I know which is on the device?
On iOS, inspect `LAContext().biometryType`; on Android, `BiometricManager` reports the supported strong/weak class.
What's the difference between BIOMETRIC_STRONG and BIOMETRIC_WEAK?
STRONG meets Android's strict spoof and FAR requirements and can release keystore keys; WEAK includes some face-unlock implementations and cannot.
Can my app see the fingerprint image?
No — both platforms only return success/failure. Raw biometric data never leaves the secure enclave / TEE.
Does Expo support both Touch ID and Face ID?
Yes — `expo-local-authentication` covers both biometric flows on iOS and Android.
Build with the Fingerprint Sensor on Newly
Ship a fingerprint sensor-powered feature this week
Newly turns a description like “use the fingerprint sensor to app login” into a real React Native app — permissions, native modules and UI included. Full source code is yours, and you can publish to the App Store and Google Play directly from the dashboard.
Want a deeper dive on the underlying APIs? See Expo Sensors, Apple Core Motion and Android sensor framework.