Implicit user authentication

Implicit user authentication is a way to authenticate the user without any user interaction. Device credentials are used to authenticate. It's more convenient since it does not require from user any authentication like PIN or biometric. Because there is no explicit authentication done by the user, it is also less secure.


Only one user can be authenticated implicitly at the same time. The implicit user session is separated from the regular user session. This way one use might be authenticated with PIN and at the same time another user (or the same one) might be authenticated implicitly. A user must be registered before he/she can be authenticated implicitly.


Implicit user authentication is done using the -[ONGUserClient implicitlyAuthenticateUser:scopes:completion:] method. It requires the following arguments:

  • userProfile - the profile you want to authenticate implicitly
  • scopes - array of scopes
  • completion - block that will be called at implicit authentication completion. The completion block will be executed with success or with an error from the ONGGenericErrorDomain domain.

Example implementation:

[[ONGUserClient sharedInstance] implicitlyAuthenticateUser:userProfile
                                                completion:^(BOOL success, NSError *_Nullable error) {
        if (success)
          // Update UI, fetch implicit resource
        } else {
          // Handle errors from ONGGenericErrorDomain error domain
          if (error.code == ONGGenericErrorUserDeregistered) {
             // Handle user deregister error
          } else if (error.code == ONGGenericErrorDeviceDeregistered) {
             // Handle device deregisterd error

Once the user is authenticated implicitly he will be able to fetch resource implicitly. Fetching a resource is done using the `-[ONGUserClient fetchImplicitResource:completion:] method. You can find the documentation on how to use this method in the Secure resource access guide.