Local Authentication

RSS for tag

Authenticate users biometrically or with a passphrase using Local Authentication.

Local Authentication Documentation

Posts under Local Authentication tag

18 Posts
Sort by:
Post not yet marked as solved
0 Answers
36 Views
Hello mates, I am having an issue while disabling user's biometry on iPhone 13 Pro Max. When I performs multiple failed recognition wrong attempts through Face ID, device Biometry does not get locked. I want to have some custom functionality after Biometry locking. This issue is only on iPhone 13 Pro Max whereas its working fine on physical iPhone 13 Pro. Had anyone this issue faced?. Any help would be appreciated. Thanks, Dawood gul
Posted Last updated
.
Post marked as solved
6 Answers
1.1k Views
Hello. We have encountered a failure that we haven't seen before regarding use of Secure Enclave private keys and creating cryptographic signatures. We've used this code on thousands of iOS devices (from iOS 11.2 to iOS 14.6) without issue, and recently saw an error that we were not able to find documentation for. We are hoping to find out more details about the failure so that we can avoid it in the future. Steps to Reproduce On an iPhone 11 Pro running iOS 14.4.2, generate a private key in the Secure Enclave via SecKeyCreateRandomKey() with the following parameters. [ kSecAttrTokenID: kSecAttrTokenIDSecureEnclave, kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: 256, kSecPrivateKeyAttrs: [ kSecAttrAccessControl: SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, [.touchIDAny, .privateKeyUsage], nil )!, kSecAttrIsPermanent: true ], kSecAttrApplicationLabel: "unique label" // a customer identifier ] (Note that app is using deployment target of iOS 11.2, thus the use of .touchIDAny). Fetch the aformentioned key with SecItemCopyMatching(…) with the following parameters: [ kSecClass: kSecClassKey, kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: 256, kSecReturnRef: true, kSecUseOperationPrompt: "Verify your identity", kSecAttrApplicationLabel: "unique label" // a customer identifier ] Create a signature of a CFData by with the key from step #2: var error: Unmanaged<CFError>? let signature = SecKeyCreateSignature(key, .ecdsaSignatureMessageX962SHA256, data, &error) Expected Result The customer is prompted for Face ID, passes, and SecKeyCreateSignature(…) successfully returns a signature. Note that this method successfully works for us on thousands of devices, from iOS 11.2 to iOS 14.6. Actual Result In a rare isolated case, we are seeing the SecItemCopyMatching(…) succeed and then the SecKeyCreateSignature(…) call fails to display the Face ID prompt. Instead, SecKeyCreateSignature(…) immediately fails and populates an error with the following information: domain: CryptoTokenKit code: -3 localizedDescription: The operation couldn’t be completed. (CryptoTokenKit error -3.) description: "<sepk:p256 kid=1214c04d05261ee3>: unable to sign digest" UserInfo={NSDebugDescription=<sepk:p256 kid=1214c04d05261ee3>: unable to sign digest, AKSError=-536362999} On this particular iPhone 11 Pro device, the customer did not have any issues with this code around 6 months prior to the failure. The customer has more recently encountered the failure, and we have confirmed the device fail to create signatures 100% of the time with the above error. We have asked the customer to reboot the device to no avail, and we have confirmed that Face ID does indeed successfully work on the device's lock screen. The failure still continues. Additional Notes We are not able to find any information about this specific failure from the documentation or additional research on the web. We were able to deduce that that CryptoTokenKit error -3 maps to TKErrorCodeCorruptedData. In the documentation of TKErrorCodeCorruptedData, it is unclear if the corruption is referring to the private key or or to the dataToSign parameter of SecKeyCreateSignature(). Do you have any insight into why/when this error is returned, and how might we avoid it in the future? Thank you.
Posted
by spindel.
Last updated
.
Post not yet marked as solved
1 Answers
305 Views
Hi, iOS 15.4 is bringing a new exciting security feature which allows users to enroll "masked face" so they can unlock their devices while wearing a mask. Some apps might leverage evaluatedPolicyDomainState (https://developer.apple.com/documentation/localauthentication/lacontext/1514150-evaluatedpolicydomainstate) to detect if the biometric state has changed, and if so, logging out/locking the user to protect their data. Looks like the masked-face enrolment changes the policy domain state as such it might lead to many unexpected logouts. Is there any way to detect if the change to the state was introduced by the masked face enrollment as such we can somehow retain the user's login session? Many thanks!
Posted
by marcin_.
Last updated
.
Post not yet marked as solved
5 Answers
338 Views
Hey, I've been trying to pinpoint what is causing this crash, but I'm having troubles understanding the Apple Crash log. I understand that this crash is happening after the app is launched, because I know we call canEvaluatePolicy() and evaluatePolicy() when the login screen finished loading. But if you notice, the following error lines after that are not related to LocalAuthentication (or so I think), therefore I'm confused. Here's the log: Thread 0 Crashed: 0 libsystem_platform.dylib 0x0000000217f95fc4 _platform_strlen + 4 1 Foundation 0x00000001a803539c -[NSXPCEncoder _encodeInvocation:isReply:into:] + 132 (NSXPCCoder.m:456) 2 Foundation 0x00000001a800686c -[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:] + 1388 (NSXPCConnection.m:1506) 3 CoreFoundation 0x00000001a680270c ___forwarding___ + 1128 (NSForwarding.m:3618) 4 CoreFoundation 0x00000001a6801a60 _CF_forwarding_prep_0 + 96 5 LocalAuthentication 0x00000001dd83c6b4 __64-[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:]_block_invoke + 240 (LAClient.m:541) 6 LocalAuthentication 0x00000001dd83bc80 __47-[LAClient _performSynchronous:callId:finally:]_block_invoke + 584 (LAClient.m:441) 7 libdispatch.dylib 0x00000001a64d4a2c _dispatch_client_callout + 20 (object.m:560) 8 libdispatch.dylib 0x00000001a64e42d4 _dispatch_sync_invoke_and_complete + 56 (queue.c:1028) 9 LocalAuthentication 0x00000001dd83b9e8 -[LAClient _performSynchronous:callId:finally:] + 220 (LAClient.m:460) 10 LocalAuthentication 0x00000001dd83c57c -[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:] + 392 (LAClient.m:540) 11 LocalAuthentication 0x00000001dd842d48 -[LAContext _evaluatePolicy:options:log:cid:synchronous:reply:] + 472 (LAContext.m:340) 12 LocalAuthentication 0x00000001dd838364 -[LAContext _evaluatePolicy:options:log:cid:error:] + 284 (LAContext.m:387) 13 LocalAuthentication 0x00000001dd838090 -[LAContext canEvaluatePolicy:error:] + 304 (LAContext.m:533) 14 APIGuard 0x0000000101fbb144 0x101fac000 + 61764 15 APIGuard 0x0000000101fb99b8 0x101fac000 + 55736 16 CoreFoundation 0x00000001a67ff324 __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 28 (CFNotificationCenter.c:652) 17 CoreFoundation 0x00000001a689bac4 ___CFXRegistrationPost_block_invoke + 52 (CFNotificationCenter.c:173) 18 CoreFoundation 0x00000001a686ecc0 _CFXRegistrationPost + 456 (CFNotificationCenter.c:199) 19 CoreFoundation 0x00000001a681539c _CFXNotificationPost + 728 (CFNotificationCenter.c:1147) 20 Foundation 0x00000001a7fdc704 -[NSNotificationCenter postNotificationName:object:userInfo:] + 96 (NSNotification.m:560)
Posted Last updated
.
Post not yet marked as solved
1 Answers
155 Views
Is there any way to detect biometric type even if it is disabled on OS level. We are getting notEnrolledError when trying to read biometric type
Posted Last updated
.
Post not yet marked as solved
2 Answers
342 Views
Is there any way to store the biometric information/data points that faceid collects in your own database? I know it's possible to allow users to log in using faceID on their own phones, however, is it possible to leverage facial recognition and make it a feature in my app? For instance, allowing any user to log into my app on any iphone just by scanning their face...
Posted Last updated
.
Post not yet marked as solved
1 Answers
1k Views
We use biometricID (faceID/touchID) authentication to access to a secret stored in keychain. We create the access control object with the biometryCurrentSet option as shown to make sure if FaceID / TouchID changes the entry should be invalidated. let secAccessControlObj = SecAccessControlCreateWithFlags(nil, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .biometryCurrentSet, accessControlError) Below is the set and get query, Set Query: [String(kSecClass): kSecClassGenericPassword,         String(kSecAttrAccount): group as AnyObject,         String(kSecAttrService): service as AnyObject,         String(kSecUseAuthenticationUI) : kSecUseAuthenticationUIAllow as AnyObject,         String(kSecAttrAccessControl) : secAccessControlObj,         String(kSecValueData) : value as AnyObject,         String(kSecAttrCreationDate) : Date() as AnyObject] Get Query: [String(kSecClass): kSecClassGenericPassword,         String(kSecAttrAccount): group as AnyObject,         String(kSecAttrService): service as AnyObject,         String(kSecUseAuthenticationUI) : kSecUseAuthenticationUIAllow as AnyObject,         String(kSecAttrAccessControl) : secAccessControlObj,         String(kSecValueData) : value as AnyObject,         String(kSecAttrCreationDate) : Date() as AnyObject] Steps: Set the value in keychain using the set query above Reset the faceID Use the get query to get the value from keychain by authenticating against TouchID/ FaceID. Result: When we try to get the value from keychain using SecItemCopyMatching(query as CFDictionary, result) we get the error code errSecAuthFailed (-25293) on iOS 15. Analysis: Prior to this (iOS 14 and below) the error code would be errSecItemNotFound which makes more sense. This is an issue for iOS 15 only as we also get errSecAuthFailed when user backgrounds the app while authenticating with FaceID/TouchID. This creates a ambiguity for us. In our testing when we backgrounded the app while authentication is in progress, we found the actual call to SecItemCopyMatching(::) was made when app's state was actually active but when the call returned the state had become background and the error code was again errSecAuthFailed This seems to be a bug with iOS 15 as it creates a ambiguity for the caller. I think the error code returned after resetting faceID should still be errSecItemNotFound in which case we can know the secret is actually lost since FaceID is reset and can treat errSecAuthFailed as error where the secret is actually not lost but just that failed temporarily. Please let us know if we need to file a bug
Posted
by axp9103.
Last updated
.
Post not yet marked as solved
0 Answers
278 Views
With the new feature enabled in ios beta 15.4, I can validate that faceID with mask works. We get a bool(matched/unmatched) response when using evaluatePolicy, which is not helpful in finding if faceid-with-mask was used. I want to disable the face id feature of the app when a non-secure way of authentication is enabled and I'm unable to find any documentation on this on LAPolicy's page. What would be the recommended way to go around finding if face id with mask is enabled? Any help with documentation would be appreciated. Thanks!
Posted Last updated
.
Post not yet marked as solved
0 Answers
191 Views
Hi there, Our Password Manager app on macOS allows a user to unlock their password database using Apple Watch for convenience. We check that Apple Watch is available for use by calling canEvaluatePolicy in the usual way. This works really well most of the time, if the Watch is available, we'll be able to call evaluatePolicy to have the user authenticate with their watch. However, we have been receiving reports that when their watches go to sleep our App incorrectly requests they authenticate with their watch. It does this because canEvaluatePolicy returns true, but once we call evaluatePolicy instead of requesting the user authenticate, we immediately get an error: Error Domain=com.apple.LocalAuthentication Code=-1 "AppleWatch authentication failed." UserInfo={NSDebugDescription=AppleWatch authentication failed., NSLocalizedDescription=Authentication failure.} Apparently though there is a way to detect this, the Apple User Login screen is able to detect that the watch is asleep and requests a password instead. Also System Preferences that require a password somehow can cause the Apple Watch to vibrate when asleep but then fails gracefully/falls back to requesting a password. As developers, we would like to know if we can request Apple Watch authentication using the canEvaluatePolicy function. If the watch is asleep, then that should we believe return false. Any help or pointers on how to detect this scenario appreciated.
Posted
by markmc.
Last updated
.
Post not yet marked as solved
1 Answers
257 Views
I can't speak English well, so I used a translator. It has been completed up to checking whether the app is authorized or not using the current 'canEvaluatePolicy'. However, I want to check whether or not biometric authentication has been registered in the terminal, but I do not know which function to use. Please help.
Posted
by GamzaPark.
Last updated
.
Post not yet marked as solved
0 Answers
370 Views
My Safari Extension on iOS needs access to a Keychain item (password) that is secured by the userPresence and devicePasscode flag. In other words, FaceID/TouchID or the device PIN is necessary to access the password. Is there a way for the extension to access the password? SafariWebExtensionHandler.swift has access to the Keychain, but can't present FaceID/TouchID/device PIN interface to the user. Popup.js has UI access, but can't access the iOS Keychain. One hack is to set touchIDAuthenticationAllowableReuseDuration of the Keychain item to an arbitrary time and have the user authenticate in the containing app. However, in case of a time-out, the containing app has be opened by the extension with a custom URL scheme. openURL is not accessible in SafariWebExtensionHandler.swift either (I assume it can be handled by popup.js). This is a user-unfriendly solution. What is the best way to give the Safari extension access to a Keychain item?
Posted Last updated
.
Post not yet marked as solved
1 Answers
648 Views
Hi Developers, I am wondering how is it possible for other smartphone-based FIDO authenticators to use the same iCloud Keychain storage as Passkey does so those credentials can be used on non-apple devices too, and also on the smartphone at the same time. There are some other iOS authenticators that have implemented BLE and are working on all devices including Windows, but the problem is that those apps cannot support signing in to the website on the smartphone itself (neither in apps nor inside the browser) using the previously registered credential of 'cross-platform' type.
Posted
by sansei.
Last updated
.
Post not yet marked as solved
1 Answers
399 Views
I am going to add safari extension in my app. I need biometric authentication for validate user. when I evaluate device owner authentication via Local Authentication then an error found. [Error Domain=com.apple.LocalAuthentication Code=-1004 "Caller is not running foreground." UserInfo={NSDebugDescription=Caller is not running foreground., NSLocalizedDescription=User interaction required.}] My Question is how may I force to safari extension to be in foreground to fix this issue? Or let me know if I can use any other way. Code: -(void)doBioMatricAuth{     context = [LAContext new];     context.localizedCancelTitle = @"Enter Username/Password";     if([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthentication error:nil]){         dispatch_async(dispatch_get_main_queue(), ^{             NSString *reason = @"Log in to your account";             [self->context evaluatePolicy:LAPolicyDeviceOwnerAuthentication localizedReason:reason reply:^(BOOL success, NSError * _Nullable error) {                 if(success) {                     NSLog(@"Biomatric success");                                      } else {                     NSLog(@"Biomatric Failed %@",error.localizedDescription);                 }             }];         });     } }
Posted Last updated
.
Post not yet marked as solved
1 Answers
727 Views
I am working on implementing the local authentication on my app so I have to test both Face Id and Touch Id from the simulator. Face Id is visible like below but unable to find out Touch Id option. I have checked on both iOS 13.00 simulator and iOS 14.00 simulator but Touch ID option is hidden in both simulator.
Posted
by binit_jha.
Last updated
.
Post not yet marked as solved
0 Answers
266 Views
Is there a way to automate Biometric Authentication on real devices? I already automated Touch ID & Face ID on the simulator, but I'm not able to provide proper authentication on a real device. Any tips?
Posted
by Jmiize.
Last updated
.
Post not yet marked as solved
2 Answers
700 Views
Hello, We first noticed this on iOS 15 beta 4, and it is also happening on beta 5: after presenting a Touch ID prompt in our iOS app (and a fresh demonstration UIKit app) on an iPhone or iPad device with Touch ID enabled and running iOS 15 beta, about two minutes later we receive an additional UIApplicationWillResignNotification while the application is still active. It then happens again, another ~2 minutes later. As a result, any application that uses this notification to prepare for state restoration or to conceal or lock the UI will interrupt the user to prepare for resigning active, while the application is still active, two minutes after prompting the user for Touch ID authentication. I have filed a report in Feedback Assistant (FB9457094), but I thought I would post here as well in case anybody else is seeing the same behavior and has a work-around. Feedback Assistant tells me there are currently no other similar reports. Sample project to show the bug: https://github.com/billymeltdown/resign-active-test/ The SceneDelegate logs a message when the application resigns active. When the Touch ID prompt is presented, the app resigns active as expected, that's not a bug. Then wait two minutes -- it will happen again! (And then again, two minutes after that.) (Not demonstrable on Simulator -- so far I've only seen the bug after prompting for Touch ID which requires running on a Touch ID enabled device.)
Posted Last updated
.