Auth0 Home Blog Docs

Multi-User Offline Access w/ iOS Lock.swift

ios
lock-for-ios

#1

I am developing an app which uses Auth0 for authentication with the following requirements:

  1. Users must be able to log in with their individual accounts on a shared device.
  2. Any time the app enters a background state (the user navigates to the home screen or a different app, for example) the user must be logged out automatically.
  3. The user must enter their username and password any time they wish to log in. The user must not be logged in automatically.
  4. When the device is not connected to the internet, any user who successfully logged in within the last 7 days must be able to log in with their last-used information, after which they must reauthenticate before logging in again.

I am having trouble satisfying requirement #4 using Lock.swift v2. I would prefer to avoid forking Lock.swift if possible.

Essentially, no matter what, Lock must display every time the app is opened - I don’t have a problem with that. What I have been unable to find any information on is how to allow a user to enter a username/password while offline, and validate it manually (as Lock.swift doesn’t appear to contain this functionality).


#2

The combination of multi-user device plus offline authentication is a really complex set of requirements which in general could best be handled by avoiding getting into that situation, but this may be out of your control also. In terms of Lock the expectation/requirement is that authentication needs to be completed online so there’s no formal support for validating a username/password offline when using Lock. In addition, I would personally recommend against any approach that requires the storage of password hashes locally on the device.

If the application is offline I’m assuming any triggered actions results in data being stored which can later be synced. In that case if the data is not sensitive and the requirement for login was mostly for non-repudiation (action X was done by user Y) then you may want to consider not forcing authentication when oflline and only require authentication when coming online to sync although this would mean each user would need to sync the actions associated with him individually. Depending on the exact circumstances you could even consider having an additional local check that guarantees that it is an authorized user handling the device, but does not require online authentication to be completed; for example, a local pin each user that previously completed authentication can set or some biometric check.


#3