Implementing Biometric Fallback Authentication in Flutter

Introduction

Biometric authentication (fingerprint, Face ID) improves security and user experience in mobile development. However, devices vary, sensors fail, and not every user will enroll biometrics. Implementing a robust fallback—typically a PIN or passcode protected by secure storage—ensures access continuity without sacrificing security. This article shows a practical Flutter pattern: attempt biometric auth, then fall back to a secure PIN, handle edge cases, and keep secrets safe.

Why Biometric Fallback Matters

Biometrics are convenient but brittle: enrollment may be absent, template changes can invalidate authentication, or platform policies may lock biometric prompts after failures. A fallback maintains usability while preserving an assurance level. For sensitive flows (wallets, financial apps, password managers), require a PIN stored hashed in secure storage and enforced with rate limits and device passcode checks where possible.

Designing The Authentication Flow

A clear flow reduces attack surface:

• Check if biometrics are available and enrolled (canCheckBiometrics and getAvailableBiometrics).

• Prompt biometric auth. On success, proceed.

• On failure or unavailability, display a PIN entry UI.

• Verify the PIN against a securely stored hashed value. Allow limited retries and optionally require re-authentication after too many failures.

• If no PIN exists (first run), require onboarding to set a PIN with confirmation.

Keep authentication state ephemeral in memory. Never persist plaintext credentials. Consider device security (screen lock requirement) and platform-specific protections like Android's KeyStore and iOS Secure Enclave.

Implementing Biometric With LocalAuth

Use the local_auth package for both platforms. Add the package and follow platform setup: update AndroidManifest (USE_BIOMETRIC & keyguard requirements) and Info.plist (NSFaceIDUsageDescription). A concise authentication wrapper simplifies usage across the app.

import 'package:local_auth/local_auth.dart';

final _auth = LocalAuthentication();

Future<bool> tryBiometric() async {
  final canCheck = await _auth.canCheckBiometrics;
  if (!canCheck) return false;
  try {
    return await _auth.authenticate(
      localizedReason: 'Authenticate to continue',
      biometricOnly: true,
    );
  } catch (_) {
    return false;
  }
}

This function returns true on successful biometric authentication, false otherwise. Keep error handling specific in production (Distinguish permanently locked biometric state vs. temporary failures).

Secure Fallback With PIN And Secure Storage

For the fallback, combine flutter_secure_storage (or platform-backed keystore APIs) with a hashed PIN using a slow hash (PBKDF2) or a well-reviewed package. Store only the salted hash and compare with the newly derived hash on input. Limit retry attempts and implement timeouts to make brute force expensive.

import 'package:flutter_secure_storage/flutter_secure_storage.dart';
import 'dart:convert';
import 'package:crypto/crypto.dart';

final _store = FlutterSecureStorage();

Future<bool> verifyPin(String pin) async {
  final stored = await _store.read(key: 'pin_hash');
  if (stored == null) return false;
  final hash = base64.encode(pbkdf2(utf8.encode(pin), utf8.encode('salt'), 10000, 32));
  return stored == hash;
}

Note: The pbkdf2 function and a proper random salt per user must be implemented; this example is schematic. Use a library to generate salts and perform key derivation. Store the salt alongside the hash in secure storage.

User Experience And Edge Cases

• Enrollment Changes: If biometric enrollment changes, local_auth may return an error. Treat this as a fallback-triggering condition and prompt the user to authenticate with PIN and optionally re-enroll.

• Device Compromise: If device integrity is suspected, require re-authentication via server-backed credentials or out-of-band verification.

• Syncing Credentials: Never sync PINs. If you need cross-device access, authenticate seeds or session tokens with server-side verification and let server enforce multi-factor rules.

• Accessibility: Provide clear alternatives and explain why fallback is needed. Respect OS settings for biometrics and privacy texts.

Testing and Hardening

Test on multiple devices and OS versions. Simulate sensor failures, enrollment revocation, and background/foreground transitions. Log authentication failures securely for analytics without storing sensitive inputs. Enforce CSP and app transport security for any remote verification.

Vibe Studio

Vibe Studio, powered by Steve’s advanced AI agents, is a revolutionary no-code, conversational platform that empowers users to quickly and efficiently create full-stack Flutter applications integrated seamlessly with Firebase backend services. Ideal for solo founders, startups, and agile engineering teams, Vibe Studio allows users to visually manage and deploy Flutter apps, greatly accelerating the development process. The intuitive conversational interface simplifies complex development tasks, making app creation accessible even for non-coders.

Conclusion

Implementing biometric fallback in Flutter balances security and usability. Use local_auth to attempt biometrics, then a secure, hashed PIN stored in platform-backed secure storage. Handle enrollment changes and failure modes gracefully, limit retries, and avoid persisting plaintext secrets. With these practices, you achieve a resilient authentication experience for mobile development in Flutter.