ECS5 User Authentication with Offline Capabilities and Session Management - ISIS3510-MOBILE-T34/T34-Wiki-SpendiQ GitHub Wiki
| Attribute | Details |
|---|---|
| Title/ID | F5 - User Authentication with Offline Capabilities and Session Management |
| Event Description | When the user is offline and attempts to sign in or register, ensuring that authentication processes are handled securely and correctly without internet connectivity. This includes scenarios where the user needs to log in using their username and password or biometric authentication after not using the app for more than seven days. |
| System Response | - Authentication Process: - Offline Login Within 7 Days: - If the user has previously logged in within the last seven days, the app allows authentication using stored credentials (username and password) or biometric authentication (e.g., fingerprint or facial recognition) validated locally. - Grants access to all functionalities without requiring an internet connection. - Offline Login After 7 Days: - If more than seven days have passed since the last login, the app deletes stored login data from the device's secondary storage for security reasons. - Prompts the user to log in again using their username and password, requiring internet connectivity to validate credentials with the server. - Notifies the user that an internet connection is required to authenticate. - New User Registration: - Registration requires two-factor authentication involving an email confirmation code. - Informs the user that internet connectivity is necessary to complete the registration process. - Session Management: - Each time the app is opened, it checks the date of the user's last session stored locally. - If the last session exceeds seven days, the app clears stored login credentials and session data. - Ensures only one user's information is stored locally to prevent unauthorized access when offline. - Data Synchronization: - Attempts to synchronize the user's last session date with the Firebase Firestore database each time the app is brought to the foreground, regardless of login status. - If there is no internet connection, synchronization is deferred and retried upon restoration of connectivity. - User Notification: - Provides clear messaging to the user about the need for an internet connection to authenticate or register, especially when offline and unable to proceed. |
| Possible Antipatterns | - Silent Authentication Failures: - Not clearly informing the user why they cannot log in when offline and their session has expired could lead to confusion and frustration. - Security Risks: - Improper handling or insecure storage of login credentials locally may pose significant security threats. - Data Synchronization Issues: - Failing to synchronize session data promptly can result in outdated analytics, affecting the development team's ability to assess app usage and engage users effectively. - User Frustration: - Strict authentication requirements without providing offline alternatives may frustrate users who expect access to their data regardless of connectivity. |
| Caching and Retrieving Strategy | - Caching: - Authentication Data: - Store encrypted username and password in the device's secure storage (e.g., Keychain for iOS, Keystore for Android) for up to seven days. - Session Data: - Keep only one user's session data locally to prevent unauthorized access by multiple users when offline. - Retrieving: - Upon app launch, retrieve local authentication credentials and last session date. - Check if the last session is within the seven-day window: - If within seven days: Allow local authentication without internet. - If beyond seven days: Prompt the user to log in online; if offline, notify them that internet connectivity is required. - Synchronization: - Attempt to synchronize the last session date with Firebase Firestore every time the app is opened or brought to the foreground. - If offline, schedule synchronization to occur immediately upon restoration of internet connectivity. |
| Storage Type | - Local Storage: - Secure Storage: - Utilize the device's secure storage mechanisms to encrypt and store sensitive authentication data and last session date. - Remote Storage: - Firebase Firestore Database: - Store user profiles, last session dates, and authentication logs for server-side validation and analytics. |
| Stored Data Type | - Authentication Data: - Username and Password: Encrypted credentials for local validation within the seven-day offline window. - Biometric Data: Biometric authentication tokens managed by the device's operating system; the app accesses these tokens securely without storing raw biometric data. - Session Data: - Last Session Date: Timestamp of the user's last successful login, stored both locally and remotely for session management and analytics. - Analytics Data: - User Engagement Metrics: Last session dates and login frequencies stored in Firebase to help the development team assess app usage and plan marketing strategies. |
Justification:
Implementing robust user authentication with offline capabilities is fundamental to ensuring both the security and accessibility of SpendiQ’s core functionalities. Users expect to access their personal financial data seamlessly, whether they are connected to the internet or not. By allowing offline authentication within a seven-day window using securely stored credentials or biometric methods, the app enhances user convenience and reliability. This feature is crucial for maintaining uninterrupted access to essential features, thereby improving overall user satisfaction and trust in the app.
From a business perspective, enforcing strict authentication protocols aligns with the need to protect sensitive financial information, adhering to best security practices. The session management strategy, which includes automatic clearance of credentials after seven days, balances user convenience with security, mitigating risks associated with unauthorized access if a device is lost or compromised. Additionally, synchronizing session data with Firebase ensures accurate analytics for understanding user engagement and optimizing marketing strategies. This comprehensive approach not only supports the app’s operational integrity but also contributes to informed business decisions, enhancing SpendiQ’s ability to cater effectively to its user base.