Biometric Authentication

Overview

There are two ways to implement biometric authentication:

JavaScript SDK - For in-app verification at specific points
Biometric App Lock - Blocks entire app access until authenticated

Important: Biometric authentication is a security enhancement, not a replacement for proper backend authentication (Supabase, Xano, etc.). Think of it as an additional layer of security on top of your existing authentication system.

Method 1: Biometric App Lock (Recommended for Security)

The simplest and most secure method requires no code setup in WeWeb.

Setup Steps:

Open your Despia editor
Navigate to Add-ons
Enable Biometric App Lock
Rebuild your application

This completely blocks app access until the user verifies their biometric credentials or device passcode.

Method 2: JavaScript SDK Implementation

Use this method for specific in-app verification points (e.g., before sensitive actions).

Create Page Workflow

In WeWeb, go to your page settings (steering wheel icon)
Navigate to Trigger Page Workflows
Create a new workflow named Start Biometric Despia SDK

Add SDK Initialization

Add a Custom JavaScript action named "Attach Global Functions for Callback" with the following code:

// Attach Global Functions for Callback
if (!document.getElementById("bioauth-sdk")) {
    const script = document.createElement("script")
    script.id = "bioauth-sdk"
    script.type = "text/javascript"
    script.textContent = `
        function onBioAuthSuccess() {
            window.bioauthSuccess()
        }
        function onBioAuthFailure(errorCode, errorMessage) {
            window.bioauthFailure(errorCode, errorMessage)
        }
        function onBioAuthUnavailable() {
            window.bioauthUnavailable()
        }
    `
    document.head.appendChild(script)
}

Register Callback Functions

Add another Custom JavaScript action named "Register Window Callback Functions" to register the callback handlers:

// Register Window Callback Functions
const wwBiometricWorkflowID = "YOUR_WORKFLOW_ID" // Replace with your actual workflow ID

window.bioauthSuccess = function () {
    if (navigator.userAgent.includes("despia")) {
        wwLib.wwWorkflow.executeGlobal(wwBiometricWorkflowID, {
            "method": "success",
            "errorCode": null,
            "errorMessage": null
        })
    }
}

window.bioauthFailure = function (errorCode, errorMessage) {
    if (navigator.userAgent.includes("despia")) {
        wwLib.wwWorkflow.executeGlobal(wwBiometricWorkflowID, {
            "method": "failure",
            "errorCode": errorCode,
            "errorMessage": errorMessage
        })
    }
}

window.bioauthUnavailable = function () {
    if (navigator.userAgent.includes("despia")) {
        wwLib.wwWorkflow.executeGlobal(wwBiometricWorkflowID, {
            "method": "unavailable",
            "errorCode": null,
            "errorMessage": null
        })
    }
}

Create Callback Handler Workflow

In WeWeb's Logic panel, create a new Global Workflow
Name it Despia Biometric Callback Handler
Set it to run On Execution
Add the following parameters:

Parameter	Type	Example Value
`method`	String	"success"
`errorCode`	Number	200
`errorMessage`	Text	"All working fine"

Important: Copy this workflow's ID and replace YOUR_WORKFLOW_ID in Step 3

Handle Authentication Results

In your callback handler workflow, add a Multi-Option Split with three branches:

Success Branch

Condition: method equals "success"
Actions:
- Redirect to protected content
- Continue with sensitive action
- Refresh authentication token

Failure Branch

Condition: method equals "failure"
Actions:
- Show error alert: "Authentication failed"
- Log security event
- Optionally lock after multiple failures

Unavailable Branch

Condition: method equals "unavailable"
Actions:
- Provide fallback authentication method
- Show message: "Biometric authentication not available"
- Request password or PIN

Trigger Biometric Authentication

Create a button or workflow action to trigger biometric verification:

Add a button element to your page
Create a workflow on button click
Add a Custom JavaScript action named "Run Despia Biometric SDK":

// Run Despia Biometric SDK
window.despia = "bioauth://"

Complete Implementation Example

Page Workflow Structure

Start Biometric Despia SDK (On Page Load)
├── Attach Global Functions for Callback
└── Register Window Callback Functions

Global Workflow Structure

Despia Biometric Callback Handler
└── Multi-Option Split (based on method parameter)
    ├── Success → Execute success actions
    ├── Failure → Show error message
    └── Unavailable → Provide fallback

Use Cases

Secure Sections

Protect sensitive areas like customer data or financial information:

// On button click to access leads section
window.despia = "bioauth://"
// Success callback redirects to protected content

Confirm Critical Actions

Require biometric verification before:

Logging out
Making transfers
Deleting data
Posting content
Accessing personal information

Session Extension

Use successful biometric authentication to refresh user tokens:

// In success callback
// Call API to refresh token
// Extend session validity by 30 days

Platform Support

iOS

Full support for Face ID
Full support for Touch ID
Fallback to device passcode

Android

Biometric App Lock: Works on 99% of devices
JavaScript SDK: Limited support on some devices
Automatic fallback to device passcode

Security Considerations

Important Security Notes

Client-side protection only
- Prevents casual unauthorized access
- Tech-savvy users could bypass through browser console
- Not suitable as sole security measure
Backend security required
- Always implement proper server-side authentication
- Use this as an additional layer, not a replacement
- Validate all sensitive operations server-side
User agent verification
- The navigator.userAgent.includes("despia") check ensures code only runs in native app
- Prevents execution in web browsers
- Can be spoofed by determined attackers
Physical security focus
- Best for preventing unauthorized access to unlocked devices
- Protects against someone grabbing an unlocked phone
- Not protection against remote attacks

Testing Your Implementation

Test Scenarios

Successful Authentication
- User provides correct biometric
- Verify success callback executes
- Check that protected content becomes accessible
Failed Authentication
- User provides incorrect biometric
- Verify failure callback executes
- Confirm error message displays
Cancelled Authentication
- User cancels biometric prompt
- Should trigger failure callback
- Application should remain secure
Unavailable Biometric
- Test on device without biometric support
- Verify unavailable callback executes
- Check fallback method works

Testing Steps

Deploy your WeWeb application
Build in Despia editor
Install through TestFlight (iOS) or equivalent (Android)
Test each scenario above
Verify callbacks work correctly
Test on multiple device types

Troubleshooting

Common Issues and Solutions

Issue	Solution
Android devices not working	Use Biometric App Lock instead of JavaScript SDK
Workflow not triggering	Verify workflow ID is correct and set to "On Execution"
Functions undefined error	Ensure SDK initialization runs on page load
Callbacks not executing	Check user agent verification is working
Multiple prompts appearing	Ensure you're not calling `window.despia = "bioauth://"` multiple times

Summary

Biometric authentication with Despia adds a valuable security layer to your WeWeb mobile applications. While not a replacement for backend security, it significantly improves the user experience and provides protection against casual unauthorized access. Choose between the simple Biometric App Lock for maximum security or the flexible JavaScript SDK for targeted protection of specific features.

Remember: This is a security enhancement, not a security foundation. Always implement proper backend authentication and validation for all sensitive operations.