Biometric Authentication
// Definition
Logging in via fingerprint, face, or iris instead of a password — Touch ID / Face ID on iOS, BiometricPrompt on Android. The app delegates to the OS, which returns success/failure without exposing the biometric data. QA tests the fallbacks as much as the happy path: what happens on no-match, no enrolled biometric, hardware unavailable, or lockout after repeated failures.
// Why it matters
Biometric auth gates account access, so its failure modes are security-critical: a fallback that's weaker than the biometric (or skips straight in on failure) is a vulnerability. QA matters because the failure paths — lockout, fallback to PIN, unenrolled device — are where the bugs and the security holes live, and they're easy to skip because the happy path "just works" on the tester's enrolled device.
// How to test
// Simulate biometric outcomes via the emulator/driver (don't need a real finger)
// Android: adb emu finger touch <id> ; iOS: simulated Face ID enrol/match
await driver.execute('mobile: sendBiometricMatch', { type: 'finger', match: true })
expect(await driver.$('~dashboard').isDisplayed()).to.be.true
// no-match → must fall back to PIN, not bypass auth
await driver.execute('mobile: sendBiometricMatch', { type: 'finger', match: false })
expect(await driver.$('~pin-fallback').isDisplayed()).to.be.true// Common mistakes
- Testing match only, skipping no-match, lockout, and unenrolled-device paths
- A fallback that's weaker than the biometric (defeats the point)
- Not handling "hardware unavailable" (older devices / no sensor)
// Related terms
Authentication
The process of verifying who a caller is. Common schemes: API key, Bearer token, OAuth 2.0, mutual TLS. Distinct from authorisation, which decides what they're allowed to do.
Multi-Factor Authentication (MFA)
An authentication mechanism that requires at least two independent verification factors: something you know (password), something you have (TOTP app, hardware key), or something you are (biometric). MFA dramatically reduces the risk of credential-stuffing and phishing attacks. QA considerations include: testing fallback flows when a second factor is unavailable, recovery code handling, bypass scenarios via account recovery that skips MFA, and verifying MFA is checked on every protected action — not just at initial login.
Native App
A mobile application built with platform-specific languages and SDKs — Swift or Objective-C for iOS, Kotlin or Java for Android. Native apps have full access to device hardware (camera, NFC, biometrics, GPS), run with the best performance characteristics, and follow each platform's UI conventions. For testers, native apps require platform-specific automation frameworks: XCUITest for iOS or Espresso for Android at the unit/integration layer, and Appium's UIAutomator2/XCUITest drivers at the end-to-end layer. Native apps are the gold standard for user experience but the most expensive to build and test across both platforms.