Passwordless Authentication on iOS with Touch ID (Swift)


Touch ID with Auth0 has been deprecated. This document is offered as reference for older implementations.

For an alternative approach, using the Credentials Manager utility in Auth0.swift, refer to Touch ID Authentication.

A feature specific to iOS is the support for Touch ID, which allows users to authenticate with their fingerprint (biometric authentication).

During sign-up, the library will generate a key pair on the device, create a user in Auth0, and register the public key for the user:

The private key is stored in the keystore of the device. Each time a user initiates authentication with a valid fingerprint, Touch ID retrieves the private key from the keystore, creates a token, signs it with the private key and sends it to Auth0. Auth0 then returns an ID Token, the user profile and, optionally, a Refresh Token.

You can use Touch ID with an iPhone 5s or later, an iPad Air 2, or an iPad mini 3 or later.


Using the Auth0 Lock

Lock is a widget that allows you to easily integrate Auth0's Passwordless Authentication into your iOS applications.

After installing and configuring Lock.iOS-OSX, you will be able to use Lock as follows.

let lock = ... //Fetch Lock instance from where you stored it
let controller = lock.newTouchIDViewController()
controller.onAuthenticationBlock = { (profile, token) in
    // Your user is now authenticated with Auth0
    // You'd probably want to store somewhere safe the tokens stored in "token" parameter
    self.dismissViewControllerAnimated(true, completion: nil)
lock.presentTouchIDController(controller, fromController: self)

Using your own UI

If you choose to build your own UI, you must install our TouchIDAuth library to handle the features specific to Touch ID.

Begin by signing up a user in a Database Connection:

let lock = ... //Fetch Lock instance from where you stored it
let client = lock.apiClient()
let params = A0AuthParameters.newDefaultParams();
params[A0ParameterConnection] = kAuth0ConnectionType; // Or your configured DB connection
    password: password, 
    loginOnSuccess: true,
    parameters: params,
    success: { (profile, token) -> () in
    failure: { (error) -> () in
        // Handle failure

You can generate a random password to avoid asking the user for one at this time. The user can change it later.

Once the user has signed up, use the idToken to register the public key for the user.

First, you will need a place to store an Auth0 API application with the token until you register the key, and a place to store the TouchID component:

var userClient: A0UserAPIClient!
var authentication: A0TouchIDAuthentication!

Now implement the following method to perform TouchID authentication:

func loginTouchIDWithToken(token: String) {}

Then create and store the API application:

let lock = ... //Fetch Lock instance from where you stored it
self.userClient = lock.newUserAPIClientWithIdToken(token.idToken)

Now configure the TouchID Authentication component:

let device = UIDevice.currentDevice().identifierForVendor().UUIDString()
let userId = profile!.userId

let authentication = A0TouchIDAuthentication()
authentication.registerPublicKey = { (pubKey, completed, errored) in
    let registerBlock = {
            device: device, 
            user: userId, 
            success: { completed() },
            failure: { error in errored(error) })
        success: { registerBlock() },
        failure: { _ in registerBlock() })

authentication.jwtPayload = {
    return [
             "iss": userId,
             "device": device,

authentication.authenticate = { (jwt, block) in
    let parameters = A0AuthParameters.newWithDictionary([      
       A0ScopeProfile: "openid name email nickname"

        deviceName: device,
        parameters: parameters,
        success: { (profile, token) in
            // User is authenticated with Auth0 & Touch ID
        failure: { error in block(error) })
authentication.onError = { error in 
    // Handle authentication error

self.authentication = authentication;

Then, to begin authentication, add this line: