I've been researching for two days trying to figure out how to authenticate a user for an iOS device. I've learned an immense amount but I am puzzled by the process, and what's really secure. Here's what I've found so far.
**Local Device Storage**
Anything that is stored locally on the phone should be done at a minimum with the Keychain. While NSUSerDefautls can store usernames and passwords, it's basically an XML file that resides in the apps Library folder. This means anyone can get access to it. The Keychain uses Triple Digital Encryption Standard (3DES) to encrypt its data making it much more secure that NSUserDefaults.
We can also use Touch ID to take this a step further. For anyone who is interested in more on this I recommend the tutorial by raywenderlich.com found here.
**Web Authentication**
This is where I start to get lost. The more I read the more the more opinions I seem to find. Here are a few of the options I've found.
**HTTPS Not Secure:** Create HTTPS .POST request to send username and password information to a server.
**HTTPS with AES Encryption Not Secure:** Any username and password information sent with an HTTPS .POST request should encrypt the data with AES Encryption before it is sent.
**HTTPS + OAuth Secure**: From what I've read this is the best way of making user authentication secure. However, I can't find much information that walks a beginner like myself through the steps. I am familiar with Apple Pay and the tokenization process used to make payments. However, that all resides at Apple. If I am trying to implement my own user authentication on my own servers can someone help me understand the layout from a web perspective and iOS perspective? Here is my best attempt.
iOS: I think I understand the parts but I do not understand their order. If I wanted to securely authenticate a user is the following process correct. Use and OAuth2 client like https://github.com/nxtbgthng/OAuth2Client to create a token for the user. Use AES Encryption to encrypt username a password information. Make a .POST request with the encrypted username and password using the token?
Web: The website would store token information for individual users. When the .POST request was sent it would use the token sent to match to the users device. When the match was made it would allow the receive .POST method to decrypt the username and password and let the user sign in.
I realize this is likely way off. If someone can help me understand the logic from account creation -> token creation -> to letting the user sign in I'd greatly appreciate it. If someone knows about a tutorial walk through that would be even better.
