Local authentication

[tschbc]

I propose to add local authentication mechanisms to the toolkit.

Purpose

A form of "protection" by asking a user for confirmation by requiring them to enter the correct credentials for their current login.

• Settings or profile pages
• Financial apps
• Apps that deal with Personal Identifiable Information
• Authenticator apps
• Any other app that needs a level of security that requires additional authentication checks

Expectations

• As small of an API as feasible
• Authentication prompts use built-in OS prompts/forms
• By default, we use the user's preferred OS login method (PIN, facial recognition, fingerprint, password, smart card, FIDO2 passkey, etc.)
  • If possible/feasible, allow the user to override their default login method specific to the app
• If a password (or any text-based credential) is entered, we should not have or provide access to it—only a result if the authentication was successful or not.
  • The intent is not to impersonate the user for upstream services—only a "heat-check" to see if it's really the expected user attempting a protected action.

New APIs

As a start, here's what I think we need (subject to change per discussion):

1. PromptAuthentication method: the main driver of the functionality. By default, shows an OS built-in prompt to the user to authenticate. Can be configured to prefer a type of authentication (password, PIN, touch, face, etc.).
2. AuthenticationOptions class: an object containing configurable settings that can be passed to PromptAuthentication.

   • Type:

     Name	Platform	Description
     Default	Cross-platform	The user's preferred OS login method
     AppDefault	Cross-platform	The user's preferred overridden login method specific to the app
     Account	Cross-platform	e.g. iOS' iCloud account password, Windows' account password (linked email or local user), Android's linked email
     Fingerprint	Cross-platform	Touch ID, Windows Hello Fingerprint recognition, Android fingerprint recognition
     Face	Cross-platform	Windows Hello face authentication, Face ID, Android Face authentication
     PIN	Cross-platform	Windows Hello PIN, Android PIN, iOS Passcode
     Pattern	Platform-specific	Android pattern
     Passkey	Desktop-specific?	FIDO2/WebAuthn passkey

     I have absolutely missed instances of each type per platform, so this table is not exhaustive, but would ideally include as much as possible/feasible.

   • Justification: a string explaining why the user needs to authenticate

   • any other settings that are valuable or make sense

3. AuthenticationResult enum: describes what happened with the authentication attempt
   • At a minimum, it should contain "successful", "failed", and "not configured" in cross-platform.
   • Not sure off-hand how to do it cleanly, but also provide a reasonable mechanism to deal with platform-specific results (unless it's simple enough to do with platform directives in MAUI).

Existing implementations

• https://github.com/smstuebe/xamarin-fingerprint
• https://github.com/oscoreio/Maui.Biometric

Why bother implementing in the community toolkit?

1. xamarin-fingerprint is abandoned, Maui.Biometric's last update was 7 months ago and has little activity. Rather than making Just Another Fork™, we could roll implementations into the toolkit so they stay a bit more visible alongside the rest of it.
2. In my opinion, a local authentication mechanism would fit better as an actual part of MAUI itself—but I think has a better chance of becoming a reality if it goes in the toolkit instead. The MAUI team is busy enough with their current work.

[GeorgeLeithead]

I think this could be a good addition to the tool-kit.

[Domik234]

Maui.Biometric has recently added new commits. The individual authentication APIs do not change much, unlike the usage requirements.

The user of the device chooses the login method according to their preferences and so it may not be possible to programmatically set a PIN, gesture or pattern. These will be grouped as device credential options.

Biometric authentication may require strong authentication or, conversely, may allow login using the device's regular method as a secondary option (PIN, gesture, pattern or device supported alternative). The use case depends on the level of security required - for example, only a fingerprint can be used, in the sense that there is currently one on the phone, or a key can be generated that secures the fingerprint for possible changes or is even exchanged with a remote server.

But... I believe there could be an implementation of specific authentications (for example: BiometricAuthentication, WebAuthentication...).