Local Authentication

RSS for tag

Authenticate users biometrically or with a passphrase using Local Authentication.

Local Authentication Documentation

Posts under Local Authentication tag

13 Posts
Sort by:
Post not yet marked as solved
1 Replies
138 Views
Hi, I'm looking for best practices for unlocking TouchID in a Mac app when using canEvaluatePolicy. Documentation says: Biometric authentication will get locked after 5 unsuccessful attempts. After that, users have to unlock it by entering their account password. The password can be entered either at login window or in the preference sheets or even in application by the means of LAPolicyDeviceOwnerAuthentication. The system unlock is preferred user experience because we generaly don't want users to enter their account password at application's request. So if we shouldn't manage Mac's password in the app, how to invite user to unlock ? Explaining he must lock/unlock the session or open any preference panel isn't a fluent experience and would definitely seems weird. I tried adding an 'Unlock' button in an alert and locking the screen automatically but this raises extras complexities: pmset can put the screen to sleep but won't lock in case of grace period sending an cmd-ctl-Q AppleEvent to System Events could fit but it depends on user acceptance for AEs and fails when System Events isn't running. Any ideas ?
Posted Last updated
.
Post not yet marked as solved
0 Replies
180 Views
Just heard about Stolen Device Protection. The app i'm building uses biometrics but allows users to enter their own passcode as a fallback. Is it possible to detect via swift if Stolen device mode is active, with restrictions in place? So that I could bump up my own security and maybe force biometrics?
Posted
by simonmcl.
Last updated
.
Post not yet marked as solved
1 Replies
286 Views
When trying to open an app that uses Local Authentication (FaceID) the auth process does not start right away, 3-4 times trying to auth is needed in order to get authenticated with the method the user has selected (FaceID), this is happening with many apps and seems that there's no a workaround. [Edited by Moderator]
Posted Last updated
.
Post not yet marked as solved
1 Replies
219 Views
Hi everyone, I'm looking into adding unique biometric authentication (fingerprints only) to a mobile app I'm developing. Is it possible to assign and recognize individual biometric data for a unique scan for the app? I'm interested in the technical feasibility, any notable security concerns, and would appreciate any insights or experiences you might have on this topic. Imagine logging into your phone or laptop using your thumbprint, and then, with the same device, accessing a specific app solely with your pinky finger's biometric data. This dual-layer security approach leverages different fingerprints for device and app access, enhancing user-specific authentication Thanks in advance for your help!
Posted Last updated
.
Post not yet marked as solved
0 Replies
348 Views
Hello everybody. I have a pack of UI tests for the Biometrics authentication. And in the beginning of each test I need there to be no permissions for Biometrics (granted or denied). I found the resetAuthorizationStatus(for:) method that allows resetting everything except Biometrics :( Is there any way I can reset this permission without deleting the whole app in tearDown()?
Posted
by Staizy.
Last updated
.
Post not yet marked as solved
6 Replies
412 Views
Hi there, bit of an odd one, we have no idea how this happened but now we can't seem to figure out how to fix. Our app requests Touch ID on macOS to authenticate a user. This is done in the ever so standard way [LAContent evaluatePolicy:...]... Functionally everything is fine, but for some reason there is no App Name on the system dialog... We don't even know when this started happening... Our App Icon is there but not the name, it's blank so the dialog looks strange (see attached pic). The text doesn't really make sense without the App Name. I wouldn't have even thought this was possible, the standard info.plist keys like CFBundleName and CFBundleDisplayName are all set correctly. Everything else seems totally fine. We're seeing this across every target/build/version/sku so it seems unrelated to a particular plist. There are no localizations for the App Name either, no InfoPlist.strings involved here. What could cause this, does anyone know? @eskimo, I'm afraid turning things up to 11 didn't help, so hoping you've got an idea?
Posted
by MarkMcG.
Last updated
.
Post not yet marked as solved
1 Replies
342 Views
I have some code where I'm using SecKeyCreateSignature using a SecKey that I retrieved using SecCopyItemMatching with an LAContext provided to the query via the kSecUseAuthenticationContext parameter. This is a biometrically-backed key so a Touch ID prompt is displayed for the user. Calling LAContext.invalidate() while that system prompt is present doesn't dismiss the prompt or cancel the SecKeyCreateSignature call. I was hoping that would behave similar to how calling LAContext.invalidate when calling LAContext.evaluatePolicy and dismiss the system prompt and cancel the evaluatePolicy call. Is this a bug/oversight, expected behaviour, or am I missing some required setup to accomplish what I'm trying to do?
Posted Last updated
.
Post not yet marked as solved
1 Replies
432 Views
Snyk and Fortify (3rd party security scanning software) scans have flagged our auth code when using evaluatePolicy for LaContext. Our app is an iOS only app. "Avoid using evaluatePolicy for local user authentication. The API can be hooked and thus the return value can be changed leading to a potential authentication bypass on jailbroken devices. Consider using iOS keychain APIs." Has anyone encountered this issue in their security scans and we're you able to mediate with the suggested fix using the keychain APIs.
Posted
by kliedl64.
Last updated
.
Post marked as solved
14 Replies
4.2k Views
I'm developing a macOS app that will usually be running in a non-admin user environment. But I have a screen of the app that I would like to secure so as to make it only accessible to admin users (think: parents). I can't figure out what API I'm supposed to use to prompt for specifically an ADMIN user. I've tried googling a ton, but I must be trying the wrong search terms, because I can't find anything. The API for LAContext() is almost what I want, I can get it to prompt for a password, but it seems to ONLY work for the current logged in user. I can't find a policy type that allows me to specify something like .adminUserAuthentication. It seems like LAContext() was not meant for this use case. But then, what is the right API to call to do this? Can someone point me in the right direction? I don't want to limit myself to this only working for supervised users, or users with parental controls turned on, I would like a generic solution. I've seen apps that prompt for admin credentials on regular non-admin users, so it must be possible, right?
Posted
by jaredh159.
Last updated
.
Post marked as solved
3 Replies
2.0k Views
Hi, I want to implement FIDO based biometric authentication in our app. I don't want to use passkeys because they are only compatible with iOS 16 and higher. Is there a way to use it through the SFSafariViewController, a web view, ASWebAuthenticationSession or any another method?
Posted
by SJose.
Last updated
.
Post not yet marked as solved
4 Replies
1.8k Views
On iOS 17 beta 1 or previous iOS versions, the [LAContext canEvaluatePolicy:error:] method works well without requiring the NSFaceIDUsageDescription key in the plist. However, when iOS 17 beta 2 (21A5268h) released, we notice some crash issues related to TCC_CRASHING_DUE_TO_PRIVACY_VIOLATION. The crash termination reason suggests that an NSFaceIDUsageDescription key must be included in the plist file, providing a string value explaining to the user how the app uses Face ID data. It is important to note that we do not actually require this permission. It is challenging to reproduce this issue, as it occurs sporadically without clear triggering conditions. These problems are likely associated with changes made to the LocalAuthentication or TCC frameworks within Apple's beta system. Thread 1: 0 libsystem_kernel.dylib 0x00000001e6a68ba0 semaphore_wait_trap + 8 1 libdispatch.dylib 0x00000001a8a3e89c _dispatch_sema4_wait + 28 (lock.c:139) 2 libdispatch.dylib 0x00000001a8a3ef4c _dispatch_semaphore_wait_slow + 132 (semaphore.c:132) 3 LocalAuthentication 0x00000001d51349b8 -[LAClient _checkIdResultForTCC:synchronous:error:retryBlock:finally:] + 500 (LAClient.m:383) 4 LocalAuthentication 0x00000001d5135828 __64-[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:]_block_invoke_2 + 180 (LAClient.m:547) 5 CoreFoundation 0x00000001a0dd65b4 __invoking___ + 148 6 CoreFoundation 0x00000001a0d83a0c -[NSInvocation invoke] + 428 (NSForwarding.m:3399) 7 Foundation 0x000000019fdffdf4 __NSXPCCONNECTION_IS_CALLING_OUT_TO_REPLY_BLOCK__ + 16 (NSXPCConnection.m:170) 8 Foundation 0x000000019fdd1f64 -[NSXPCConnection _decodeAndInvokeReplyBlockWithEvent:sequence:replyInfo:] + 520 (NSXPCConnection.m:316) 9 Foundation 0x00000001a050eb5c __88-[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:]_block_invoke_5 + 188 (NSXPCConnection.m:1662) 10 Foundation 0x000000019fd965fc -[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:] + 2244 (NSXPCConnection.m:1679) 11 CoreFoundation 0x00000001a0d82c0c ___forwarding___ + 1008 (NSForwarding.m:3634) 12 CoreFoundation 0x00000001a0de79d0 _CF_forwarding_prep_0 + 96 13 LocalAuthentication 0x00000001d513573c __64-[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:]_block_invoke + 204 (LAClient.m:546) 14 LocalAuthentication 0x00000001d5134fe4 __47-[LAClient _performSynchronous:callId:finally:]_block_invoke + 504 (LAClient.m:446) 15 libdispatch.dylib 0x00000001a8a3e300 _dispatch_client_callout + 20 (object.m:561) 16 libdispatch.dylib 0x00000001a8a4dce8 _dispatch_sync_invoke_and_complete + 56 (queue.c:1071) 17 LocalAuthentication 0x00000001d5134dac -[LAClient _performSynchronous:callId:finally:] + 196 (LAClient.m:465) 18 LocalAuthentication 0x00000001d5135634 -[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:] + 296 (LAClient.m:545) 19 LocalAuthentication 0x00000001d513f38c -[LAContext _evaluatePolicy:options:synchronous:reply:] + 188 (LAContext.m:373) 20 LocalAuthentication 0x00000001d513f084 -[LAContext _evaluatePolicy:options:log:cid:synchronous:reply:] + 388 (LAContext.m:348) 21 LocalAuthentication 0x00000001d5124268 -[LAContext _evaluatePolicy:options:log:cid:error:] + 272 (LAContext.m:402) 22 LocalAuthentication 0x00000001d5123fec -[LAContext canEvaluatePolicy:error:] + 276 (LAContext.m:548) .... Thread 24 Crashed: 0 libsystem_kernel.dylib 0x00000001e6a78394 __terminate_with_payload + 8 1 libsystem_kernel.dylib 0x00000001e6a9aca0 abort_with_payload_wrapper_internal + 136 (terminate_with_reason.c:106) 2 libsystem_kernel.dylib 0x00000001e6a9acb4 abort_with_payload + 16 (terminate_with_reason.c:124) 3 TCC 0x00000001c1471928 __TCC_CRASHING_DUE_TO_PRIVACY_VIOLATION__ + 172 (TCC.c:563) 4 TCC 0x00000001c14720a0 __TCCAccessRequest_block_invoke_7 + 600 (TCC.c:707) 5 TCC 0x00000001c146f154 __tccd_send_message_block_invoke + 624 (TCC.c:0) 6 libxpc.dylib 0x0000000208d09b14 _xpc_connection_reply_callout + 116 (serializer.c:119) 7 libxpc.dylib 0x0000000208cfc484 _xpc_connection_call_reply_async + 80 (connection.c:881) 8 libdispatch.dylib 0x00000001a8a3e380 _dispatch_client_callout3 + 20 (object.m:587) 9 libdispatch.dylib 0x00000001a8a5bb04 _dispatch_mach_msg_async_reply_invoke + 344 (mach.c:3102) 10 libdispatch.dylib 0x00000001a8a50d40 _dispatch_root_queue_drain_deferred_item + 336 (queue.c:7011) 11 libdispatch.dylib 0x00000001a8a50628 _dispatch_kevent_worker_thread + 500 (queue.c:6484) 12 libsystem_pthread.dylib 0x0000000208ca8e88 _pthread_wqthread + 344 (pthread.c:2635) 13 libsystem_pthread.dylib 0x0000000208ca8bf0 start_wqthread + 8
Posted
by codefei.
Last updated
.
Post marked as solved
11 Replies
1.7k Views
My end goal is to use eciesEncryptionCofactorX963SHA256AESGCM with a key generated on the Secure Enclave using CryptoKit, that requires Biometric Authentication. CryptoKit does not implement the ECIES encryption algorithms, so my goal was to fall back to the Security framework. The public key can be easily converted to a SecKey because it implements x963Representation which can then be imported as follows: let enclaveSecKey: SecKey = SecKeyCreateWithData(enclaveKey.x963Representation as CFData, [ kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeyClass: kSecAttrKeyClassPublic, kSecAttrKeySizeInBits: 256 ] as [String: Any] as CFDictionary, nil), I have everything working except the code to decrypt with the private key. Naturally, the Secure Enclave does not expose the private key - as is its design - rather some kind of token? I did read the Keychain documentation which notes that it is not possible to simply obtain an x963Representation of the private key (as it's a custom representation returned by the Secure Enclave). However, my ultimate question is this: can one convert the Secure Enclave representation into something that can be used as a SecKey for encryption/decryption (without necessarily being stored in the Keychain - i.e., 'correct') as it seems both CryptoKit and Security have a means of representing the private key token returned by the Secure Enclave? (Or is one's only recourse to use the Security framework for generating and storing the keys too?) I have also tried this code to create a SecKey representation, having retrieved the GenericPasswordConvertible out of the keychain (note the use of kSecAttrTokenID: kSecAttrTokenIDSecureEnclave) with the aforementioned goal of loading the Secure Enclave's private token as a SecKey: let enclaveSecKey: SecKey = SecKeyCreateWithData(enclaveKey.rawRepresentation as CFData, [ kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeyClass: kSecAttrKeyClassPrivate, kSecAttrTokenID: kSecAttrTokenIDSecureEnclave, kSecAttrAccessible: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecUseAuthenticationContext: try await createAuthContext( reason: "Decrypt data", fallbackTitle: "Enter your device password to decrypt data", mustEvaluate: true ), kSecAttrIsPermanent: true, kSecAttrIsExtractable: false, kSecAttrSynchronizable: false, kSecAttrKeySizeInBits: 256, kSecAttrAccessControl: SecAccessControlCreateWithFlags( nil, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, [.biometryAny, .privateKeyUsage], &cfSecKeyCreateError )! ] as [String: Any] as CFDictionary, nil) This works, in and of itself, (i.e., it loads without error and cfSecKeyCreateError is nil, however when I try SecSecKeyCopyPublicKey I get a different, incorrect public key and - naturally, I suppose - if I attempt to decrypt data with the private key that fails with: Optional(Swift.Unmanaged<__C.CFErrorRef>(_value: Error Domain=NSOSStatusErrorDomain Code=-50 "ECIES: Failed to aes-gcm decrypt data (err -69)" UserInfo={numberOfErrorsDeep=0, NSDescription=ECIES: Failed to aes-gcm decrypt data (err -69)}))
Posted
by samjakob.
Last updated
.
Post not yet marked as solved
1 Replies
707 Views
Hi, TO obtain TOKEN during the development process of MFI findmy products.I submitted a CSR file (generated by the WIN7 KEYTOOLS command) in the Software Authentication Certificate Request on the MFI Portal, and the system rejected it and prompted the server unknown. Error, the reason is "server unable to process the csr request". What is the reason and how to solve it? (By the way, previously rejected 10 times due to a company name mismatch)
Posted
by bill486.
Last updated
.