Code Workshop

👆

Auth & Users

How Much Does Biometric Authentication (Face ID, Touch ID) Cost to Add?

Adding biometric authentication (Face ID, Touch ID) to a mobile app costs roughly $1,000–$2,000 AUD. It speeds up re-authentication without compromising security.

Adds approximately

$1,000$2,000

48 hours · Australian dev rates

What is biometric authentication?

Biometric authentication lets users verify their identity using Face ID or Touch ID instead of typing a password. On iOS, this uses Apple's LocalAuthentication framework; on Android, the BiometricPrompt API. The device's secure enclave handles the biometric match entirely on-device — no facial data or fingerprint is ever sent to your server.

Importantly, biometrics are almost always used for re-authentication, not primary login. A user still registers and first logs in with an email/password or social login. On subsequent opens — especially after a short idle period — they can re-authenticate quickly with a biometric scan. This is the same pattern used by banking apps, superannuation portals, and healthcare tools.

This is a mobile-only feature. It applies to iOS and Android native apps and React Native apps. It is not relevant for web browsers (though WebAuthn can achieve something similar on the web).

When does your app need it?

  • Your app handles sensitive data (financial, medical, HR) that should be locked when the app is backgrounded
  • Users open the app frequently throughout the day and password entry creates friction — field service, logistics, and healthcare apps benefit greatly
  • You want to offer a faster login experience on return visits without reducing security
  • Your app handles payments or approvals that require step-up authentication before a sensitive action
  • You're building for a regulated sector where re-authentication after idle periods is a compliance expectation
  • You want to match the experience users expect from banking and fintech apps on their device

How much does it cost?

Adding biometric authentication typically adds 4–8 hours of development — roughly $1,000–$2,000 AUD.

At the lower end: implementing biometric re-authentication using expo-local-authentication (React Native/Expo). The user enables it in settings, a biometric-protected token is stored in the device keychain, and subsequent app opens trigger a biometric prompt to unlock that token and restore the session.

At the higher end: custom native modules for more granular control, step-up authentication for specific in-app actions (e.g., approving a payment), graceful fallback to PIN or password when biometrics fail or are unavailable, and handling edge cases across a wide range of devices.

How it's typically built

On React Native with Expo, expo-local-authentication provides a cross-platform API for Face ID, Touch ID, and Android biometrics. The implementation stores a session token (or encryption key) in the device's secure keychain using expo-secure-store — protected at the OS level so it can only be accessed after a successful biometric authentication.

On iOS natively, the LAContext class from LocalAuthentication.framework is used. On Android natively, BiometricPrompt from AndroidX handles fingerprint and face unlock.

The flow: on first login, a session token is stored in the secure keychain with biometric protection. On subsequent opens, a biometric prompt is shown; success returns the token and restores the session without a network call. If biometrics fail after the allowed attempts (typically 3), the app falls back to password entry.

No biometric data touches your server. The match happens inside the device's Secure Enclave (iOS) or Trusted Execution Environment (Android). Your server only sees the same session token it issued at login.

Questions to ask your developer

  • Is this re-auth or primary auth? Biometrics should complement existing auth, not replace it — a password fallback must always exist.
  • Where is the session token stored? It should live in the device keychain with biometric protection, not in AsyncStorage or similar unprotected storage.
  • What's the fallback when biometrics are unavailable or fail? Users with Face ID disabled, or who fail the biometric check, need a clear path back to password entry.
  • Is biometric auth offered as opt-in? Users should be able to enable it in settings and disable it if they prefer not to use it.
  • Does it handle step-up auth for sensitive actions? Triggering a biometric prompt before approving a payment or accessing sensitive records is a meaningful security improvement worth discussing.

See also: Two-factor authentication · Email & password login · App cost calculator

Get a full project estimate

Use the calculator to build your complete feature list. We'll call you back within one business day to scope it properly.

All app features