Mobile App Authentication

Mobile App authentication

Keyri enables true passwordless authentication in mobile apps using cryptographic credentials, which are embedded into your users' devices by the Keyri mobile SDKs, and, optionally, phone biometrics or PIN. It is a simple and secure way to authenticate users in your mobile app without the need for memorizing passwords or typing unreliable SMS OTP codes and can be used for primary, secondary, and continuous authentication in the background. When used in conjunction with biometrics, it constitutes MFA in that it presents evidence of what the user has (the device containing their cryptographic credentials) and what the user is (their biometrics).

How it Works: User + Mobile Device Signatures

Keyri's mobile SDKs include ECDSA (opens in a new tab) methods that allow you to tie an individual account to a specific device. These methods associate a signing key pair to an account.

The public key should be saved in your user credentials database. The private key is persistent on and non-extractable from the device on which it was generated. It is used to generate cryptographic signatures for a given account that can then be validated by your backend application using the user's public key.


let keyri = KeyriInterface(appKey: appKey, publicApiKey: publicApiKey, serviceEncryptionKey: serviceEncryptionKey)
func login(username: String) async throws { let loginObject =
    keyri.login(publicUserId: username)
    authService.login(urlSuffix: "api/login", body: loginObject)
func register(username: String) async throws { let registerObject =
    keyri.register(publicUserId: username)
    authService.register(urlSuffix: "api/register", body: registerObject)
func makeAuthApiCall(urlSuffix: String, body: [String: Any]) {
    guard let url = URL(string: BASE_URL + urlSuffix) else {
        print("Can't parse request URL:\(urlString)")
    var request = URLRequest(url: url)
    request.httpMethod = "POST"
    request.httpBody = body
    URLSession.shared.dataTask(with: request) { data, response, error in
        // Process result

Backend Setup

Configure an API endpoint to receive the data returned by the SDK register and login methods from your app. For the data returned by register, you should store the public key in your user credentials database. For the data returned by login, you should verify the signature using the public key associated with the user's account.

The backend setup for passwordless authentication in your mobile app is the same as that for server-side QR login. See documentation here for a Node.js example.