Authentication

Ask users to authenticate only in exchange for value, such as personalizing the experience, accessing additional features, purchasing content, or synchronizing data. If your app requires authentication, keep the sign-in process quick, easy, and unobtrusive, so it doesn’t detract from the enjoyment of your app.

Delay sign-in as long as possible. People often abandon apps when they are forced to sign in before doing anything useful. Give them a chance to fall in love with your app before making a commitment to it. In a shopping app, let people browse your merchandise immediately upon launch and require sign-in only when they're ready to make a purchase. In a media streaming app, let people explore your content and see what you have to offer before signing in to play something.

Explain the benefits of authentication and how to sign up for your service. If your app requires authentication, display a brief, friendly explanation on the login screen that describes the reasons for the requirement and its benefits. Also, remember that not everyone using your app has an account from the start. Make sure you explain how to get one, or provide a simple in-app way to sign up.

Minimize data entry by showing appropriate keyboards. When asking for an email address, for example, show the email keyboard screen, which includes helpful data entry shortcuts.

Never use the term passcode. A passcode is strictly for unlocking the user's iOS device.

For Apple Pay authentication design guidance, see Apple Pay.

Face ID and Touch ID

Whenever possible, support biometric authentication. Face ID and Touch ID are secure, familiar authentication methods that people trust. If a user has enabled biometric authentication, you can assume they understand how it works, appreciate its convenience, and prefer to use it whenever possible. Bear in mind that people may choose to disable biometric authentication on their device, so your app should be prepared to handle this scenario.

Present people with a single way to authenticate. It's most intuitive when people don't have to choose how to authenticate. Just give them a single option, like Face ID. Offer alternatives, like asking for a username and password, as fallbacks only if the initial method fails.

Initiate authentication only in response to user action. An explicit action, like tapping a button, ensures that the user wants to authenticate. In the case of Face ID, it also improves the likelihood the user is facing the camera.

Always identify the authentication method. A button for signing into your app using Face ID, for example, should be titled "Sign-In with Face ID" rather than "Sign-In".

Reference authentication methods accurately. Don't reference Touch ID on a device that supports Face ID. Conversely, don't reference Face ID on a device that supports Touch ID. Check the device's capabilities and use the appropriate terminology. For developer guidance, see LABiometryType.

In general, avoid offering a setting for opting into biometric authentication within your app. If biometric authentication is enabled at the system level, just assume the user wants to use it. If you implement an app-specific setting, the user may get into a state where biometric authentication appears to be enabled in your app, but it's really disabled systemwide.

Don't use custom icons to identify system authentication features. When people see icons that look like the system's Touch ID (thumbprint) and Face ID icons, they think they're supposed to authenticate. Custom variants of these icons create inconsistency and cause confusion, especially when colorized, displayed at a large size, and presented out of context—like as a button label or on an app's Settings screen.

For developer guidance, see Local Authentication.