Biometric authentication against server
I'm working on an iOS app whose login system does not seem entirely secure but I don't know enough to be sure.
Skipping account creation, the first time the user logs in they send their user and hashed pass to the server to acquire a token with which they can make the rest of the API calls.
This seems fine but the user is given the option to activate biometric authentication in the app's settings and this is where I'm not certain about the implementation being secure.
To activate this feature, the user proves the ownership of their phone using Face ID or Touch ID. If this is done successfully, the app makes an API call sending the following information to the server which activates biometric authentication for this user's account:
- the username (redundant)
- the session token
- the device's internal id number
- the device's notification (APNS) id
From that point on, in order to acquire a token (login) the app makes a different API call (not the normal user/pass call) where only the user and the 2 previously mentioned ids are sent (obviously this is done only after the user successfully uses the phone's biometric authetication).
Is this secure? It doesn't seem inconceivable that someone could figure out the username, and those 2 device identifiers to gain access. If it isn't secure, what would the right approach be? How do bank apps do it for example?
I couldn't find an answer to these questions by googling etc.
