My app already has an app lock system which includes text & biometric combinations. Now iOS 18 has introduced a passcode lock for every app. So if users want to enable the app lock provided by us (developer), we want to inform them that you have enabled the iOS-provided app lock, in addition to that do you want to allow app-specific lock? For this, developers want to know whether iOS-provided app lock is enabled. -Rajdurai

Hi, Is there some reference documentation about the properties of a CryptoKit SecureEnclave PrivateKey and its properties? Concretely, these are some of the questions that I wanted to find a (documented) answer on: Who can use a SecureEnclave.P256.*.PrivateKey if they have access to the dataRepresentation? I expect that the private key is bound to the specific secure enclave processor, but it also seems to be bound for the user that created the key (from observation by creating a PrivateKey without any access control). What if there's a restore from backup of the machine, will the private key still be usable? What does a SecureEnclave.P256.*.PrivateKey's dataRepresentation include? From observation, I'm assuming the dataRepresentation is a signed/encrypted blob that includes a unique ID (no 2 keys are the same), the access control settings (biometry required, passcode required, ...), some sort of version of the biometry (so it is be invalidated when the biometry changes). Is there anything else? I'm not interested in the actual encoding (which I understand is undocumented), but want to get an idea of what properties are included in the representation and e.g. can't change in the future. Answers to these questions could e.g. help make a decision how secure the private key's dataRepresentation needs to be kept (e.g. if it can only be used by myself, and i'm sure it will only ever be valid with the access control flags its representation contains, I could decide it's ok to have this key be in a public place) I tried looking for answers in some pieces of documentation, but couldn't immediately find the details I was looking for: The CryptoKit SecureEnclave documentation The Secure Enclave article The Protecting keys with the Secure Enclave article thanks! Remko

My background audio app stops updating its Live Activity after the iPhone locks, and doesn't resume updating the activity after tapping the screen or even after FaceID unlocks the device (without opening the lock screen). My live activity requests a ContentState update & iOS updates the content for the activity as below: Task{ log.debug("LiveActivityManager.updateLiveActivity() with new ContentState") await liveActivity.update( ActivityContent(state:contentState, staleDate:nil) ) } Below what my log looks like: <<<<SWIPE LOCK SCREEN DOWN>>>> DEBUG: LiveActivityManager.updateLiveActivity() with new ContentState iOS: Updating content for activity 0A519263-1E46-4BB6-BA4F-F3DDBC081AB4 DEBUG: LiveActivityManager.updateLiveActivity() with new ContentState iOS: Updating content for activity 0A519263-1E46-4BB6-BA4F-F3DDBC081AB4 <<<<PRESS LOCK BUTTON->Lock iPhone>>>> INFO: --------protectedDataWillBecomeUnavailableNotification-------- DEBUG: LiveActivityManager.updateLiveActivity() with new ContentState iOS: Updating content for activity 0A519263-1E46-4BB6-BA4F-F3DDBC081AB4 DEBUG: LiveActivityManager.updateLiveActivity() with new ContentState DEBUG: LiveActivityManager.updateLiveActivity() with new ContentState DEBUG: LiveActivityManager.updateLiveActivity() with new ContentState <<<<LOOK AT & TAP LOCK SCREEN->Unlock iPhone without swiping up>>>> INFO: --------protectedDataDidBecomeAvailableNotification----------- DEBUG: LiveActivityManager.updateLiveActivity() with new ContentState DEBUG: LiveActivityManager.updateLiveActivity() with new ContentState DEBUG: LiveActivityManager.updateLiveActivity() with new ContentState As shown in the log, normally iOS updates the content for my activity after my liveActivity.update request. This works fine in the Dynamic Island and when after switching apps and swiping down to see the lock screen without locking the phone. However, once I lock the phone, iOS stops updating the Live Activity content, and doesn't resume updates until after the app regains the foreground at least once. Has anyone else encountered this behavior? Is this a setting that I'm missing, or a bug?

I've implemented Face ID in my app to authenticate after the user is authenticated, so they don't have to sign in again to log into their account. However, it asks me to enter my iPhone's passcode instead of scanning my face. Is there any way to fix this? Is there something I have to add?

Please sir, my Iphone XS battery drains quickly and my phone overheats and also has lagging problem, please give the solution.

Is the method used to unlock an iOS device available to an app? We would like to require a step-up to MFA (in our app) if passcode was used and allow for single factor if Face ID was used.

Does Apple allow extensions to Face ID? I have a problem with the way it often reacts. I also have a simple solution. But does Apple allow extensions to Face ID?

Trying to develop a feature that can help verify a person's identity is matched with their Apple account. For example: I want to use my Apple device to scan some other people's faces using Apple facial ID to confirm the people who face me in real life are matched with the Apple account holders who talk to me online. Here asking if it is possible on a firmware or code level? as well as if is it against the TOS?

I am new to iOS development, and recently I was trying to build an application, which will create a key inside the secure element, and after - I will sing something with it. While developing I've encountered an issue: the key generation fails if there is a flag .biometryAny or .biometryCurrentSet The authentication itself is triggered, but the function still throws a mistake. My setup - Xcode iPhone15 simulator, FaceID enrolled and the animation of it is working. Ive created the same post on overflow, in case somebody will have the same issues: https://stackoverflow.com/questions/78175858/secure-enclave-key-generation-failure I've tried deleting the flag, while keeping the manual authorisation, and this approach works, but I still would like have maximum security. THIS WORKS: func authenticateUser(completion: @escaping (Bool, Error?) -> Void) { let context = LAContext() var error: NSError? if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) { let reason = "Biometric authentication is needed to access your secure data." context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason) { success, authenticationError in DispatchQueue.main.async { completion(success, authenticationError) } } } else { // Biometry is not available or not enrolled. DispatchQueue.main.async { completion(false, error) } } } @objc func encryptAction() { authenticateUser { [weak self] (success, error) in guard success else { self?.outputLabel.text = "Authentication failed: \(error?.localizedDescription ?? "Unknown error")" return } guard let randomNumber = self?.inputTextField.text, !randomNumber.isEmpty, let dataToSign = randomNumber.data(using: .utf8), let privateKey = self?.generatePrivateKey() else { self?.outputLabel.text = "Error: Could not generate private key." return } if let signature = self?.signData(privateKey: privateKey, data: dataToSign) { self?.outputLabel.text = "Signature: \(signature.base64EncodedString())" } else { self?.outputLabel.text = "Error: Could not sign data." } } } func generatePrivateKey() -> SecKey? { // 1. Create Keys Access Control guard let accessControl = SecAccessControlCreateWithFlags( nil, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, [.privateKeyUsage], nil) else { fatalError("cannot set access control") } // 2. Create Key Attributes guard let tag = "com.example.keys.mykey".data(using: .utf8) else { fatalError("cannot set tag") } let attributes: [String: Any] = [ kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits as String: 256, kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave, kSecPrivateKeyAttrs as String: [ kSecAttrIsPermanent as String: true, kSecAttrApplicationTag as String: tag, kSecAttrAccessControl as String: accessControl ] ] // 3. Generate Key Pairs var error: Unmanaged<CFError>? guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else { if let error = error?.takeRetainedValue() { print("Error creating a key: \(error)") } return nil } return privateKey } func signData(privateKey: SecKey, data: Data) -> Data? { let digest = sha256(data: data) var error: Unmanaged<CFError>? guard let signature = SecKeyCreateSignature(privateKey, .ecdsaSignatureMessageX962SHA256, digest as CFData, &error) as Data? else { print(error!.takeRetainedValue() as Error) return nil } return signature } } THIS DOESN'T guard let accessControl = SecAccessControlCreateWithFlags( nil, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, [.privateKeyUsage, .biometryCurrentSet], nil) else { info.something file is updated and there is a privacy FaceID field included. the error is triggered at this part: var error: Unmanaged<CFError>? guard let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, &error) else { if let error = error?.takeRetainedValue() { print("Error creating a key: \(error)") } return nil } The error itself: Error creating a key: Error Domain=NSOSStatusErrorDomain Code=-25293 "Key generation failed, error -25293" UserInfo={numberOfErrorsDeep=0, NSDescription=Key generation failed, error -25293}

Is it possible to implement a login via Biometric TouchID FaceID in a Wkwebview? I'm not a developer and thank you in advance for your help.

Hi, We're using SecKeyCreateRandomKey to generate a random key with access control kSecAttrAccessControl key set to `kSecAccessControlTouchIDAny' using below code SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlTouchIDAny | kSecAccessControlPrivateKeyUsage, &error) Now, while accessing the key with below code, we're not seeing any biometric prompt on simulator where as the biometric prompt is shown in all physical devices and the key is returned only on successful authentication with FaceID (or) Touch ID. Can someone please help to understand why the behaviour is different in simulators NSDictionary *privateKeySearchQueryParam = @{ (id)kSecClass: (id)kSecClassKey, (id)kSecAttrKeyType: (id)kSecAttrKeyTypeEC, (id)kSecAttrLabel: keyName, (id)kSecReturnRef: @YES };

Hello, we trying to develop passwordless flow in the browser, but when we invoke navigator.credentials.create, it resolves an empty object {}. We acquired options from StrongKey server and parsed them in navigator options as was shown on wwdc20-10670 demo. An excerpt of source code is below: { &#9;&#9;publicKey: { &#9;&#9;&#9;&#9;rp: {name: queryParams.rpName}, &#9;&#9;&#9;&#9;user: { &#9;&#9;&#9;&#9;&#9;&#9;name: queryParams.userName, &#9;&#9;&#9;&#9;&#9;&#9;id: toUint8Array(queryParams.userId), &#9;&#9;&#9;&#9;&#9;&#9;displayName: queryParams.displayName &#9;&#9;&#9;&#9;}, &#9;&#9;&#9;&#9;pubKeyCredParams: [{type: "public-key", alg: -7}], &#9;&#9;&#9;&#9;challenge: toUint8Array(queryParams.challenge), &#9;&#9;&#9;&#9;authenticatorSelection: {authenticatorAttachment: "platform",}, &#9;&#9;&#9;&#9;attestation: "direct" &#9;&#9;} } The user is requested to proceed with TouchID/FaceID/etc. and everything looks as expected, but the returned value is empty. We have tested the flow in the latest Chrome, Safari and Safari for iOS. Has anyone encountered this behavior as well?

I am sending a user to the apple authentication site where they fill in their apple login information on a form: const signInWithApple = () => { const params = { client_id: Config.APPLE_AUTH_CLIENT_ID, redirect_uri: 'https://www.example-site.com/auth/apple/', scope: 'name email', response_type: 'code', response_mode: 'form_post', }; const loginUrl = `https://appleid.apple.com/auth/authorize?${queryString.stringify(params)}`; window.open(loginUrl, '_blank', `scrollbars=yes, width=520, height=570`); }; After it has authenticated the user, it redirects the user to the URL that is defined in the redirect_uri property. Then I verify the token and log in the user on my end. That works beautifully. The problem occurs when, instead of opening the window with the form fields, it opens a sheet at the bottom of the Safari mobile browser to allow the user to use face id. If you follow through with that, it looks like it recognizes your face and closes the sheet but it never redirects the user to my URL page where I log in the user after verifying their token. Has anybody encountered this? I would love some ideas on how to solve this please!

I am writing to seek assistance with an issue related to Face ID enrollment in the latest version of Xcode (15 Beta) and iOS Simulator 17.0. The problem I am encountering is that I am unable to enroll Face ID on the simulator's UI. Specifically, when navigating to Simulator -> Features -> Face ID -> Enrolled, the Biometry Enrollment Status is displayed as "Not Enrolled." This issue seems to be persistent across different device models in the iOS Simulator. Strangely, Face ID enrollment works perfectly fine in Xcode 14.2 (ios 16.2). However, after upgrading to the iOS 17.0 simulator, it appears that something has changed with regards to biometrics. I would greatly appreciate any guidance or suggestions on how to resolve this problem. Has anyone else encountered a similar issue with Face ID enrollment in Xcode 15 Beta and iOS Simulator 17.0? If so, were you able to find a solution or a workaround? Thanks in advance!

I push a new application to store. ;When i try to log in with FaceId, i get an error like this "Sign up not completed". what am i missing? could you help pls :) you can access the app from https://apps.apple.com/tr/app/lone/id6447771266?l=tr

I have made app which uses FaceID (TrueDepth), so I want to set FaceID compatibility in AppStore. Now I set phone-ipad-minimum-performance-a12 key in Required Device Capabilities, but it excepts iPhoneX which uses FaceID. Is there a way to set FaceID compatibility?

I have made ios app which used TrueDepth (FaceID) camera. So, I want to set TrueDepth compatibility but I could not find its key in Required Device Capabilities. Is there a way to set TrueDepth compability?

Apple's guidance in the Human Interface Guidelines has always been: "In general, avoid offering an app-specific setting for opting in to biometric authentication. People enable biometric authentication at the system level, so presenting an in-app setting is redundant and could be confusing." However, FaceID and TouchID behave differently. With FaceID, a user may configure whether to enable FaceID on a per app basis in system settings, so an in-app setting is redundant and potentially confusing. With TouchID, a user cannot configure whether to enable TouchID on a per app basis in system settings. What is Apple's recommendation of a UX for allowing a user to enable TouchID (to log in to the app) on a per app basis. Is the developer expected to provide an in-app setting for TouchID but not FaceID?

Hi, I have a question about the possibility to authenticate a user , by triggering an external e.g. MFA authenticator APP, authentication in CarPlay using Siri. The Scenario is that your driving your car and you're interacting with an app using Siri and ordering stuff in the app, but before the order is placed, the user needs to confirm the order and authenticate himself, by e.g. using an (external) MFA authenticator app on the phone connected to the car via CarPlay? Off course the user would probably need to pick up the phone and enter a passcode, or using FaceID. Is this scenario possible to implement? if so, how? Thanks!

Hi there! I'm using PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable to detect whether a platform authenticator is available in order to prompt to register it. On iOS 16 it resolves to true even when FaceID and passcode are turned off in system settings. In this case, when navigator.credentials.create is called with "authenticatorAttachment" set to "platform", it immediately fails with the following error, without showing any UI { code: 0, message: "This request has been cancelled by the user.", name: "NotAllowedError" } To me, one of these functions does not work correctly, so I am wondering which one is it? I assume that on iOS 16 PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable resolves to true because it should be possible to register a passkey on another device. But in that case navigator.credentials.create would suggest to do that instead of failing, right? Thanks in advance for any help.