Passwordless Authentication with iOS and AWS Lambda
This repository contains an implementation of passwordless authentication using iOS as the client, with secure enclave key generation and validation, and AWS Lambda for a serverless microservice architecture. The solution is FIDO2 compliant, utilizing FaceID biometric authentication on the iOS client.
The authentication flow works as follows:
- The iOS client generates a secure public-private key pair using the secure enclave, which is a highly secure hardware-based key manager built into Apple devices.
- The public key is securely transmitted to the AWS Lambda microservice, where it is double encrypted using AWS Key Management Service (KMS) and server-side keys.
- During authentication, the user is prompted for FaceID biometric authentication on the iOS client.
- Upon successful FaceID authentication, the iOS client signs a challenge with the private key, and the AWS Lambda microservice verifies the signature using the stored public key.
- Upon successful verification, the user is authenticated without the need for a traditional password.
The secure enclave is a hardware-based security feature introduced by Apple to provide an isolated and secure environment for handling cryptographic operations and storing sensitive data. It is designed to be resistant to software attacks and is separate from the main processor and operating system.
In this implementation, the secure enclave is used to generate and manage the public-private key pair for passwordless authentication. The private key never leaves the secure enclave, ensuring that it remains secure and isolated from the rest of the system.
This implementation is compliant with the FIDO2 (Fast IDentity Online) standard for passwordless authentication. FIDO2 is a set of specifications that define an open, scalable, and interoperable mechanism for authenticating users without the need for passwords.
On the iOS client, FaceID biometric authentication is used as the second factor for FIDO2 authentication. FaceID provides a secure and convenient way for users to authenticate using their facial biometrics, ensuring a seamless and password-free experience.
By using AWS Lambda and Docker for the server-side microservice, this implementation leverages the benefits of serverless computing, including:
- Faster development and deployment: AWS Lambda allows you to focus on writing code without worrying about provisioning or managing servers.
- Scalability: Lambda automatically scales to handle increased traffic, ensuring consistent performance and availability.
- Cost-effective: You only pay for the compute time used, making it cost-effective for varying workloads.
Security is a top priority in this implementation. The following measures have been taken to ensure the safety and integrity of the authentication process:
- Secure Key Storage: The public keys are double encrypted using AWS Key Management Service (KMS) and server-side keys before storage, providing an additional layer of security.
- Private Key Protection: The private keys generated by the secure enclave never leave the user's device, mitigating the risk of key compromise.
- Secure Communication: All communication between the iOS client and the AWS Lambda microservice is encrypted using industry-standard protocols.