Authentication

Ask users to authenticate only in exchange for value, such as personalizing the experience, accessing additional features, purchasing content, or synchronizing data. If your app requires authentication, keep the sign-in process quick, easy, and unobtrusive, so it doesn’t detract from the enjoyment of your app.

Delay sign-in as long as possible. People often abandon apps when they're forced to sign in before doing anything useful. Give them a chance to fall in love with your app before making a commitment to it. In a shopping app, let people browse your merchandise immediately upon launch, and require sign-in only when they're ready to make a purchase. In a media-streaming app, let people explore your content and see what you have to offer before signing in to play something.

Explain the benefits of authentication and how to sign up for your service. If your app requires authentication, display a brief, friendly explanation on the login screen that describes the reasons for the requirement and its benefits. Also, remember that not everyone using your app has an account from the start. Make sure you explain how to get one, or provide a simple in-app way to sign up.

Minimize data entry by showing appropriate keyboards. When asking for an email address, for example, show the email keyboard screen, which includes helpful data entry shortcuts.

Never use the term passcode. A passcode is used for unlocking the user's iOS device and authenticating with Apple Pay when biometric authentication is disabled.

For Apple Pay authentication design guidance, see Apple Pay.

Face ID and Touch ID

Whenever possible, support biometric authentication. Face ID and Touch ID are secure, familiar authentication methods that people trust. If a user has enabled biometric authentication, you can assume they understand how it works, appreciate its convenience, and prefer to use it whenever possible. Bear in mind that people may choose to disable biometric authentication on their device, so your app should be prepared to handle this scenario.

Present people with a single way to authenticate. It's most intuitive when people don't have to choose how to authenticate. Just give them a single option, like Face ID. Offer alternatives, like asking for a username and password, as fallbacks only if the initial method fails.

Initiate authentication only in response to user action. An explicit action, like tapping a button, ensures that the user wants to authenticate. In the case of Face ID, it also increases the likelihood that the user is facing the camera.

Always identify the authentication method. A button for signing in to your app using Face ID, for example, should be titled "Sign In with Face ID" rather than "Sign In."

Reference authentication methods accurately. Don't reference Touch ID on a device that supports Face ID. Conversely, don't reference Face ID on a device that supports Touch ID. Check the device's capabilities and use the appropriate terminology. For developer guidance, see LABiometryType.

In general, avoid offering a setting for opting in to biometric authentication within your app. If biometric authentication is enabled at the system level, just assume the user wants to use it. If you implement an app-specific setting, the user may get into a state where biometric authentication appears to be enabled in your app when it's really disabled systemwide.

Don't use icons to identify system authentication features. When people see icons that look like the system's Touch ID (thumbprint) and Face ID icons, they think they're supposed to authenticate. Using icons to identify authentication features creates inconsistency and causes confusion, especially when the icons are colorized, displayed at a large size, and presented out of context.

For developer guidance, see Local Authentication.