Biometric authentication in Capacitor apps
Add Face ID, Touch ID, and Android biometric login to your Capacitor app. How biometric authentication works, how to store secrets safely behind it, and how OTA updates keep the flow current.
Face ID, Touch ID, and Android biometric prompts turn a clunky password re-entry into a half-second glance. Adding them to a Capacitor app is straightforward — the trick is doing it securely, which means pairing the biometric check with proper secret storage rather than treating the prompt as the whole security story. This guide covers both, with OtaKit for iterating the flow.
Key mental model: a biometric prompt is a gate, not a vault. The real security comes from storing the secret it unlocks in the platform keystore. A biometric check with the token sitting in localStorage is theater.
1. Add a biometric plugin
Use a maintained Capacitor biometric plugin (several community options exist). After installing:
npx cap sync
The native pieces — NSFaceIDUsageDescription on iOS, the biometric permission on Android — belong in your store build.
2. Gate a sensitive action
async function unlockWithBiometrics() {
const available = await Biometric.isAvailable();
if (!available.isAvailable) return fallbackToPassword();
try {
await Biometric.authenticate({ reason: 'Unlock your account' });
return loadSessionFromSecureStorage();
} catch {
return fallbackToPassword();
}
}3. Store the secret in the keystore
Behind the biometric gate, keep the actual token in the iOS Keychain or Android Keystore — never in web storage. This is the part that makes biometric auth meaningful. See secure token storage in Capacitor for the how.
4. Always have a fallback
Biometrics fail: a wet fingerprint, a mask, a device without a sensor, a user who declined the permission. Every biometric flow needs a password or PIN fallback, or you'll lock people out of their own accounts.
The UX of the prompt — when to ask, what the fallback looks like, copy on the screen — is web-layer code. Ship refinements over the air with otakit upload --release production instead of waiting on a store review.
Where to go next
Pair this with social login for the sign-in side, and read Security for OtaKit's own update-integrity model.