I've implemented Face ID in my app to authenticate after the user is authenticated, so they don't have to sign in again to log into their account. However, it asks me to enter my iPhone's passcode instead of scanning my face. Is there any way to fix this? Is there something I have to add?
Local Authentication
RSS for tagAuthenticate users biometrically or with a passphrase using Local Authentication.
Posts under Local Authentication tag
18 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Hi,
I would like to know the guidelines or rules regarding the implementation of Local Authentication. My client requirements are:
After the user login in with username and password, reset password, it will then authorize face id or passcode to be able to access/navigate the app.
Subsequent access will also require face id or passcode to access the app.
Clicking app notifications when app is closed will require face id or passcode to access app.
Is this a proccess allowed by Apple?
Thanks
Is the method used to unlock an iOS device available to an app? We would like to require a step-up to MFA (in our app) if passcode was used and allow for single factor if Face ID was used.
On Xcode 15.4, LAContext.biometryType had an @available attribute of visionOS 1.0. However, in Xcode 16, the @available attribute for biometryType was changed to a visionOS 2.0 minimum requirement, preventing the app from building if the minimum deployment target is earlier than visionOS 2.0.
This was the attribute on Xcode 15.4:
This is the attribute on Xcode 16:
Feedback ID: FB13824190
I have used functionality of changing user's password programmatically using the OpenDirectory framework. Once the password is updated successfully, can be use this password for Login sessions and authentication wherever required. But the same password is failing authenticate with Local Authentication Framework that is with LAContext and prefers always older password. Even restarting machine won't work.
Changing current user's password using below method -
do {
let node = try ODNode(session: ODSession.default(), type: ODNodeType(kODNodeTypeLocalNodes))
let user = try node.record(withRecordType: kODRecordTypeUsers, name: NSUserName(), attributes: nil)
try user.changePassword(currentPassword, toPassword: newPassword)
print("Password changed successfully")
} catch var error {
print(error)
}
Once password is updated, then trying to authenticate password with LAContext using,
let context = LAContext()
context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "AuthenticationMessage".localized()) { success, error in
DispatchQueue.main.async {
completion(success, error)
}
print("authentication error = (String(describing: error?.localizedDescription))")
}
It won't accept the updated password. Any idea how to solve this problem?
Hi,
Is this possible? I would like to:
Store a biometrically secured key in the Secure Enclave.
Do multiple cryptographic operations using that key in a short period of time (say 5 seconds), not all at once.
Only do one FaceID for that set.
For the time I've only gotten either multiple flashing FaceId requests or the operations failing.
Is it possible to set a time limit in which the first FaceID authentication is accepted?
Should I do something else?
Thanks!
Hi, I am creating simple app with ios 17. I want to authenticate via ios passcode. but I couldn't find any example about it. Where can I get some example about using ios passcode in ios 17? please help me.
Hi,
I'm looking for best practices for unlocking TouchID in a Mac app when using canEvaluatePolicy.
Documentation says:
Biometric authentication will get locked after 5 unsuccessful attempts. After that, users have to unlock it by entering their account password. The password can be entered either at login window or in the preference sheets or even in application by the means of LAPolicyDeviceOwnerAuthentication. The system unlock is preferred user experience because we generaly don't want users to enter their account password at application's request.
So if we shouldn't manage Mac's password in the app, how to invite user to unlock ?
Explaining he must lock/unlock the session or open any preference panel isn't a fluent experience and would definitely seems weird.
I tried adding an 'Unlock' button in an alert and locking the screen automatically but this raises extras complexities:
pmset can put the screen to sleep but won't lock in case of grace period
sending an cmd-ctl-Q AppleEvent to System Events could fit but it depends on user acceptance for AEs and fails when System Events isn't running.
Any ideas ?
Just heard about Stolen Device Protection. The app i'm building uses biometrics but allows users to enter their own passcode as a fallback. Is it possible to detect via swift if Stolen device mode is active, with restrictions in place? So that I could bump up my own security and maybe force biometrics?
When trying to open an app that uses Local Authentication (FaceID) the auth process does not start right away, 3-4 times trying to auth is needed in order to get authenticated with the method the user has selected (FaceID), this is happening with many apps and seems that there's no a workaround.
[Edited by Moderator]
Hi everyone,
I'm looking into adding unique biometric authentication (fingerprints only) to a mobile app I'm developing. Is it possible to assign and recognize individual biometric data for a unique scan for the app? I'm interested in the technical feasibility, any notable security concerns, and would appreciate any insights or experiences you might have on this topic.
Imagine logging into your phone or laptop using your thumbprint, and then, with the same device, accessing a specific app solely with your pinky finger's biometric data. This dual-layer security approach leverages different fingerprints for device and app access, enhancing user-specific authentication
Thanks in advance for your help!
Hello everybody.
I have a pack of UI tests for the Biometrics authentication. And in the beginning of each test I need there to be no permissions for Biometrics (granted or denied).
I found the resetAuthorizationStatus(for:) method that allows resetting everything except Biometrics :(
Is there any way I can reset this permission without deleting the whole app in tearDown()?
Hi there, bit of an odd one, we have no idea how this happened but now we can't seem to figure out how to fix.
Our app requests Touch ID on macOS to authenticate a user. This is done in the ever so standard way [LAContent evaluatePolicy:...]... Functionally everything is fine, but for some reason there is no App Name on the system dialog... We don't even know when this started happening...
Our App Icon is there but not the name, it's blank so the dialog looks strange (see attached pic). The text doesn't really make sense without the App Name.
I wouldn't have even thought this was possible, the standard info.plist keys like CFBundleName and CFBundleDisplayName are all set correctly. Everything else seems totally fine. We're seeing this across every target/build/version/sku so it seems unrelated to a particular plist. There are no localizations for the App Name either, no InfoPlist.strings involved here.
What could cause this, does anyone know?
@eskimo, I'm afraid turning things up to 11 didn't help, so hoping you've got an idea?
I have some code where I'm using SecKeyCreateSignature using a SecKey that I retrieved using SecCopyItemMatching with an LAContext provided to the query via the kSecUseAuthenticationContext parameter.
This is a biometrically-backed key so a Touch ID prompt is displayed for the user. Calling LAContext.invalidate() while that system prompt is present doesn't dismiss the prompt or cancel the SecKeyCreateSignature call. I was hoping that would behave similar to how calling LAContext.invalidate when calling LAContext.evaluatePolicy and dismiss the system prompt and cancel the evaluatePolicy call.
Is this a bug/oversight, expected behaviour, or am I missing some required setup to accomplish what I'm trying to do?
Snyk and Fortify (3rd party security scanning software) scans have flagged our auth code when using evaluatePolicy for LaContext. Our app is an iOS only app.
"Avoid using evaluatePolicy for local user authentication. The API can be hooked and thus the return value can be changed leading to a potential authentication bypass on jailbroken devices. Consider using iOS keychain APIs."
Has anyone encountered this issue in their security scans and we're you able to mediate with the suggested fix using the keychain APIs.
On iOS 17 beta 1 or previous iOS versions, the [LAContext canEvaluatePolicy:error:] method works well without requiring the NSFaceIDUsageDescription key in the plist.
However, when iOS 17 beta 2 (21A5268h) released, we notice some crash issues related to TCC_CRASHING_DUE_TO_PRIVACY_VIOLATION. The crash termination reason suggests that an NSFaceIDUsageDescription key must be included in the plist file, providing a string value explaining to the user how the app uses Face ID data. It is important to note that we do not actually require this permission.
It is challenging to reproduce this issue, as it occurs sporadically without clear triggering conditions. These problems are likely associated with changes made to the LocalAuthentication or TCC frameworks within Apple's beta system.
Thread 1:
0 libsystem_kernel.dylib 0x00000001e6a68ba0 semaphore_wait_trap + 8
1 libdispatch.dylib 0x00000001a8a3e89c _dispatch_sema4_wait + 28 (lock.c:139)
2 libdispatch.dylib 0x00000001a8a3ef4c _dispatch_semaphore_wait_slow + 132 (semaphore.c:132)
3 LocalAuthentication 0x00000001d51349b8 -[LAClient _checkIdResultForTCC:synchronous:error:retryBlock:finally:] + 500 (LAClient.m:383)
4 LocalAuthentication 0x00000001d5135828 __64-[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:]_block_invoke_2 + 180 (LAClient.m:547)
5 CoreFoundation 0x00000001a0dd65b4 __invoking___ + 148
6 CoreFoundation 0x00000001a0d83a0c -[NSInvocation invoke] + 428 (NSForwarding.m:3399)
7 Foundation 0x000000019fdffdf4 __NSXPCCONNECTION_IS_CALLING_OUT_TO_REPLY_BLOCK__ + 16 (NSXPCConnection.m:170)
8 Foundation 0x000000019fdd1f64 -[NSXPCConnection _decodeAndInvokeReplyBlockWithEvent:sequence:replyInfo:] + 520 (NSXPCConnection.m:316)
9 Foundation 0x00000001a050eb5c __88-[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:]_block_invoke_5 + 188 (NSXPCConnection.m:1662)
10 Foundation 0x000000019fd965fc -[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:] + 2244 (NSXPCConnection.m:1679)
11 CoreFoundation 0x00000001a0d82c0c ___forwarding___ + 1008 (NSForwarding.m:3634)
12 CoreFoundation 0x00000001a0de79d0 _CF_forwarding_prep_0 + 96
13 LocalAuthentication 0x00000001d513573c __64-[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:]_block_invoke + 204 (LAClient.m:546)
14 LocalAuthentication 0x00000001d5134fe4 __47-[LAClient _performSynchronous:callId:finally:]_block_invoke + 504 (LAClient.m:446)
15 libdispatch.dylib 0x00000001a8a3e300 _dispatch_client_callout + 20 (object.m:561)
16 libdispatch.dylib 0x00000001a8a4dce8 _dispatch_sync_invoke_and_complete + 56 (queue.c:1071)
17 LocalAuthentication 0x00000001d5134dac -[LAClient _performSynchronous:callId:finally:] + 196 (LAClient.m:465)
18 LocalAuthentication 0x00000001d5135634 -[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:] + 296 (LAClient.m:545)
19 LocalAuthentication 0x00000001d513f38c -[LAContext _evaluatePolicy:options:synchronous:reply:] + 188 (LAContext.m:373)
20 LocalAuthentication 0x00000001d513f084 -[LAContext _evaluatePolicy:options:log:cid:synchronous:reply:] + 388 (LAContext.m:348)
21 LocalAuthentication 0x00000001d5124268 -[LAContext _evaluatePolicy:options:log:cid:error:] + 272 (LAContext.m:402)
22 LocalAuthentication 0x00000001d5123fec -[LAContext canEvaluatePolicy:error:] + 276 (LAContext.m:548)
....
Thread 24 Crashed:
0 libsystem_kernel.dylib 0x00000001e6a78394 __terminate_with_payload + 8
1 libsystem_kernel.dylib 0x00000001e6a9aca0 abort_with_payload_wrapper_internal + 136 (terminate_with_reason.c:106)
2 libsystem_kernel.dylib 0x00000001e6a9acb4 abort_with_payload + 16 (terminate_with_reason.c:124)
3 TCC 0x00000001c1471928 __TCC_CRASHING_DUE_TO_PRIVACY_VIOLATION__ + 172 (TCC.c:563)
4 TCC 0x00000001c14720a0 __TCCAccessRequest_block_invoke_7 + 600 (TCC.c:707)
5 TCC 0x00000001c146f154 __tccd_send_message_block_invoke + 624 (TCC.c:0)
6 libxpc.dylib 0x0000000208d09b14 _xpc_connection_reply_callout + 116 (serializer.c:119)
7 libxpc.dylib 0x0000000208cfc484 _xpc_connection_call_reply_async + 80 (connection.c:881)
8 libdispatch.dylib 0x00000001a8a3e380 _dispatch_client_callout3 + 20 (object.m:587)
9 libdispatch.dylib 0x00000001a8a5bb04 _dispatch_mach_msg_async_reply_invoke + 344 (mach.c:3102)
10 libdispatch.dylib 0x00000001a8a50d40 _dispatch_root_queue_drain_deferred_item + 336 (queue.c:7011)
11 libdispatch.dylib 0x00000001a8a50628 _dispatch_kevent_worker_thread + 500 (queue.c:6484)
12 libsystem_pthread.dylib 0x0000000208ca8e88 _pthread_wqthread + 344 (pthread.c:2635)
13 libsystem_pthread.dylib 0x0000000208ca8bf0 start_wqthread + 8
Hi,
I want to implement FIDO based biometric authentication in our app. I don't want to use passkeys because they are only compatible with iOS 16 and higher.
Is there a way to use it through the SFSafariViewController, a web view, ASWebAuthenticationSession or any another method?
I'm developing a macOS app that will usually be running in a non-admin user environment. But I have a screen of the app that I would like to secure so as to make it only accessible to admin users (think: parents).
I can't figure out what API I'm supposed to use to prompt for specifically an ADMIN user. I've tried googling a ton, but I must be trying the wrong search terms, because I can't find anything.
The API for LAContext() is almost what I want, I can get it to prompt for a password, but it seems to ONLY work for the current logged in user. I can't find a policy type that allows me to specify something like .adminUserAuthentication. It seems like LAContext() was not meant for this use case. But then, what is the right API to call to do this?
Can someone point me in the right direction?
I don't want to limit myself to this only working for supervised users, or users with parental controls turned on, I would like a generic solution. I've seen apps that prompt for admin credentials on regular non-admin users, so it must be possible, right?