Biometric Authentication

Last updated: May 22, 2026

Biometric Authentication adds a security gate to specific pages in your app. When a user navigates to a protected URL, the app prompts them to verify their identity using Face ID, fingerprint, or their device PIN/pattern — before the page is shown. This is useful for account settings, payment pages, medical records, or any content that should only be visible to the device owner.

Authentication Methods

Restrict to Biometric Only

By default, the app accepts any device authentication method — biometrics (Face ID, fingerprint) or the device PIN/pattern/password. When this is enabled, only biometric methods are accepted.

Default: Disabled (PIN and pattern are also accepted)

Note: If a device does not have biometric hardware, or the user has not enrolled biometrics, enabling this option will prevent those users from accessing protected pages. Only enable it when maximum security is required.

Authentication Message

The message shown to the user in the authentication dialog, explaining why they need to verify.

Default: Please authenticate to see the confidential information.

Maximum length: 200 characters

Keep it short and specific to the context — for example: Verify your identity to access payment details.

Face ID Usage Description (iOS Only)

iOS requires a written explanation of why your app uses Face ID. This text is stored in the app's Info.plist and may be reviewed by Apple during app review.

Default: This feature is required to verify the device owner before seeing confidential information.

Maximum length: 500 characters

Be specific. Apple may reject apps with vague descriptions. Example: We use Face ID to ensure only you can access your private account information.

Protected URLs

List the pages that require authentication before they are shown. Enter one domain, full URL, or URL fragment per line.

Example	Matches
`example.com/account`	Any URL containing `/account`
`[example.com/payment]`	Only the exact URL `example.com/payment`
`example.com/*/settings`	URLs like `example.com/user/settings`, `example.com/1/settings`

When a user navigates to a matching URL, the authentication prompt appears. If they pass, the page loads normally. If they cancel or fail, the page is not shown.

Triggering Auth via JavaScript Bridge

You can also trigger biometric authentication programmatically from your website — for example, before a form is submitted or before sensitive data is revealed. See the Biometric Auth JavaScript Bridge article for full implementation details.

Next Google Sign-In