The only secure way I found is storing refresh token(long live token) in encrypted format instead of password which will then be passed to the server on successful biometric authentication and return an access token. Note: You also need to handle the case where the refresh token itself expires in which case the user will need to login with his credentials again.