Hi,
This feature request proposes that Auth0 enhance its mobile SDKs to support “Offline Login” functionality. This would enable users of mobile applications integrated with Auth0 to authenticate and access the application even when there is no active internet connection, by leveraging both local passcode or biometric authentication (e.g., fingerprint, face ID) and a saved password hash check.
This addresses a critical need for applications that require high availability and functionality in environments with intermittent or no network connectivity.
Currently, Auth0’s core authentication flow (Universal Login) fundamentally relies on an active internet connection to communicate with Auth0’s servers for user authentication, token issuance, and refresh. While existing mechanisms allow for caching of tokens (e.g., refresh tokens with offline_access scope), these still require an online connection for initial login, token renewal, or in scenarios where cached tokens expire or are revoked.
Many mobile applications that require authentication for login have this functionality as standard. When a user in such an environment attempts to log in or re-authenticate (e.g., after an app restart or a session timeout), the inability to do so offline creates a significant user experience barrier and can render the application unusable until connectivity is restored. This leads to user frustration and reduced productivity.
Auth0 should implement a robust “Offline Login” feature within its mobile SDKs (iOS, Android) that allows for user authentication and session management without requiring an immediate internet connection. This could be achieved through a mechanism like:
- Initial Online Registration:
- When a user first logs in online with Universal Login, the Auth0 SDK should securely store necessary user identification and authentication context locally (e.g., a “passcode seed” or a secure identifier linked to the user’s online session). This would be in addition to standard tokens.
- During this initial online setup, the user would be prompted to set up a local passcode (PIN) or enable biometric authentication (fingerprint/Face ID) for offline access. This local authentication method would be bound to the user’s authenticated session.
- Offline Authentication Flow:
- When the mobile application is launched or re-authenticated offline, the Auth0 SDK would detect the lack of internet connectivity.
- Instead of redirecting to Universal Login, it would present a local authentication prompt (passcode input or biometric scanner).
- Upon successful local authentication, the SDK would verify the user’s identity against the securely stored local context. This verification should be entirely self-contained within the device and not require an external network call.
- If the local authentication is successful and the cached session is still valid (based on its original expiration or a locally managed validity period), the SDK would return a locally validated “offline token” or indicate a successful offline session. This offline token would grant access to the application’s offline capabilities.
- Online Re-synchronization:
- Once internet connectivity is restored, the Auth0 SDK should automatically attempt to re-synchronize the user’s session with Auth0’s servers. This could involve renewing existing refresh tokens or re-authenticating silently if the local session is no longer considered secure for online operations.
- This seamless transition from offline to online mode should ideally occur without requiring further user interaction.
Key Benefits:
Enhanced User Experience: Users can continue to access essential application features even in environments without internet access, leading to uninterrupted workflows and increased productivity.
Increased Application Availability: Mobile applications become more resilient and reliable, especially in critical field operations or remote locations.
Security: Local authentication using passcodes or biometrics, combined with secure local storage of authentication context, can provide a reasonable level of security for offline access.
Competitive Advantage: This feature would position Auth0 as a more comprehensive solution for offline-first mobile applications, addressing a gap that some competitors might already be exploring.
Reduced Support Burden: Less user frustration due to connectivity issues translates to fewer support tickets.
Considerations & Technical Details:
- Security of Local Storage: The secure storage of any local authentication artifacts (passcode seeds, session identifiers) is paramount. Auth0’s SDKs would need to leverage platform-specific secure storage mechanisms (e.g., iOS Keychain, Android Keystore).
- Offline Token Scope/Validity: The “offline token” issued by the SDK should have a clearly defined scope and a relatively short expiration period to minimize security risks. Its primary purpose is to grant access to offline application functionalities.
- Refresh Token Management: Existing refresh token mechanisms should be integrated. The “offline login” would enable access when refresh tokens cannot be exchanged due to lack of connectivity, but online connectivity would still be required for long-term session maintenance and actual token renewal.
- Passcode/Biometric Management: The SDK would need APIs for setting, changing, and potentially recovering the local passcode/biometric enrollment.
- User Logout: A clear mechanism for logging out (which should also invalidate the local offline session) would be necessary.
- Device Context: The offline login should ideally be tied to the specific device where the initial online login occurred.
- Optional Feature: This should be an opt-in feature for applications that require it, allowing developers to configure its behavior and security policies.
Impact:
Implementing offline login capabilities would significantly broaden Auth0’s appeal to developers building mission-critical mobile applications that demand high availability and seamless user experiences regardless of network conditions. This would be a substantial improvement over the current “online-only” authentication paradigm.
We kindly request Auth0 to consider this feature for inclusion in its mobile SDK development roadmap.