How to store user credentials in a secure way?

I have implemented a login system where the user receives an authorisation token after logging in, which is then stored as an app variable. This system works well when it comes to keeping the user logged in whenever they enter the app unless they explicitly log out.

However, the user still needs to re-enter their email and password to login after they have previously logged out. I was wondering whether it would be possible to store their credentials in the app in a secure way so that I can auto-complete the input fields in the login page. Another interesting function would be to let the user know that they’ve input their password correctly.

How could I do it?

You can store the token in local storage and have it expire after x amount of time on the api side.

Hey @Bas_24, I’m already doing that (except the expiration for now). What I want to do is have an auto-complete similar to how your browser stores your credentials to a website so when you reach the login page they are already entered for you.

Maybe create a “remember me” checkbox that will save the username and password to local storage? This will be just as insecure as saving a never expiring token.

I know it’s insecure to store the username and password locally, hence why I was wondering whether there was a more secure way to do so and which AppGyver also allows.

Why wouldn’t you auto login with the token saved locally again? Why do you want to show the login screen again? That seems an inferior user experience.

They are not mutually exclusive. I am already storing a token for the user so they can stay logged in until the token expires. However, when the user logs out (either manually or after the token has expired) they also wouldn’t need to type their credentials again in the login screen, because the fields would already be populated for them (if they tapped the “remember me” checkbox). The input fields could also show whether they typed their credentials correctly or not. I’ve seen a few apps work in this way, so either they aren’t storing the user credentials safely or there is a safe way to store them which I’m not yet aware of. Hopefully that’s clear?

Here is a great series of videos explaining authTokens and authentless sign in.