Sometimes, when I close the lid using the MacOs version Sequoia 15.2, with the configuration to require a password for 5 seconds, the system does not ask for the password as expected.
This happens sometimes even though nothing preventing the system from sleeping when you close and open the lid, but it still seems like a security concern.
Is there some known issue related to this problem or a way to avoid it?
Result of command pmset -g:
Configuration:
Local Authentication
RSS for tagAuthenticate users biometrically or with a passphrase using Local Authentication.
Posts under Local Authentication tag
24 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
In a project I was using Local Authentication to authenticate a user. When I got a request to support smartcard/PIV token authentication (which Local Authentication does not support), I had to switch to Authorization Services, which works pretty. There's only one issue I have. Local Authentication's evaluatePolicy:localizedReason:reply: requires a reason in the form "<appname>" is trying to <localized reason>. The app is currently translated into 41 languages and I would like to use the localized strings for the AuthorizationEnvironment of Authorization Services as well. The problem is that Local Authentication prefixes the localized string with something like "<appname>" is trying to and Authorization Services does not do this. Is there a way to get this prefix from somewhere so I can manually add it to the (partially) localized string? Any help would be highly appreciated.
Thank you,
Marc
Hi everyone,
I’m working on an iOS app that uses biometric authentication to access secure keychain items and private keys stored in the Secure Enclave with some data encryption/decryption with those keys. My goal is to minimize the number of biometric prompts by reusing the authentication result within a short time window.
I have the following setup:
When writing the biometry-restricted keychain items and Secure Enclave keys, I use LAContext with the property LATouchIDAuthenticationMaximumAllowableReuseDuration = 1 minute, and I pass this context as the kSecUseAuthenticationContext field in the query.
When retrieving these items later (in a synchronous sequence upon app launch), I pass the same instance of LAContext as the kSecUseAuthenticationContext field.
The issue:
If I unlock my device and the biometric reuse time has not expired (i.e., less than 1 minute), the first two actions (keychain item retrieval and Secure Enclave key retrieval) do not prompt for Face ID.
However, when I attempt to decrypt data with the private key using SecKeyCreateDecryptedData, I’m prompted for Face ID even if the biometric reuse time is still valid.
If the biometric reuse time has expired (more than 1 minute since last authentication), I get prompted for Face ID on the first action (keychain retrieval), and subsequent actions (including data decryption) reuse that biometric result.
Question:
Does this behavior mean that SecKeyCreateDecryptedData ignore the LATouchIDAuthenticationMaximumAllowableReuseDuration property of LAContext, causing an additional biometric prompt during decryption with the private key? Or is there another reason for this behavior? Is there a way to make the biometric result reusable across all these actions, including decryption?
Thank you!
Hello, Apple developer,
I found in the documentation that the evaluatedPolicyDomainState API has been deprecated in iOS 18. In my project, many users rely on this value for comparison. I would like to ask, what does it mean that this API is deprecated? Will the value returned by this API be empty in the future? How should I adapt for existing users?"
Let me know if you'd like any adjustments!
Thank you. Good luck.
[[context evaluatedPolicyDomainState] bytes]
In one of our applications we use LAContext's evaluatePolicy:localizedReason:reply: to authenticate a user. This works pretty well with both username/password and Touch ID. Now we have a request to add support for smart cards and I wonder if this is possible using LAContext. Otherwise I would use Authentication Services, although that might be a bit overkill since we don't need to request any rights, we just want to see that the user has been successfully authenticated. Or is there a better way? Any help would be greatly appreciated.
Thanks,
Marc
Hello, I have been implementing faceID authentication using LocalAuthentication, and I've noticed that if i use swift 5 this code compiles but when i change to swift 6 it gives me a crash saying this compile error:
i have just created this project for this error purpose so this is my codebase:
import LocalAuthentication
import SwiftUI
struct ContentView: View {
@State private var isSuccess: Bool = false
var body: some View {
VStack {
if isSuccess {
Text("Succed")
} else {
Text("not succeed")
}
}
.onAppear(perform: authenticate)
}
func authenticate() {
let context = LAContext()
var error: NSError?
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
let reason = "We need to your face to open the app"
context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason) { sucexd, error in
if sucexd {
let success = sucexd
Task { @MainActor [success] in
isSuccess = success
}
} else {
print(error?.localizedDescription as Any)
}
}
} else {
print(error as Any)
}
}
}
#Preview {
ContentView()
}
also i have tried to not use the task block and also gives me the same error. i think could be something about the LAContext NSObject that is not yet adapted for swift 6 concurrency?
also i tried to set to minimal but is the same error
Im using xcode 16.1 (16B40) with M1 using MacOS Seqouia 15.0.1
Help.
Hi everyone,
I'm looking for a way to configure Passkey on iOS so that authentication is only possible using FaceID or TouchID. Specifically, I want to disable the use of passcodes and QR codes for authentication. Additionally, is there a method to detect if the authentication was done using a passcode or QR code?
Thanks for your help!
How can I test biometric on UI Tests in Swift / iOS 18? This code not working.
+ (void)successfulAuthentication {
notify_post("com.apple.BiometricKit_Sim.fingerTouch.match");
notify_post("com.apple.BiometricKit_Sim.pearl.match");
}
+ (void)unsuccessfulAuthentication {
notify_post("com.apple.BiometricKit_Sim.fingerTouch.nomatch");
notify_post("com.apple.BiometricKit_Sim.pearl.nomatch");
}
I am using LAContext(), canEvaluatePolicy, and evaluatePolicy in my project, and I've encountered a crash under a specific scenario. When the permission prompt appears asking, "Do you want to allow [App Name] to use biometrics in your app?" and the user locks the device without selecting "Allow" or "Don't Allow," the app crashes at that point.
Has anyone else experienced this issue or tested this scenario?
Any insights would be appreciated!
We have been using the LAContext's evaluation policy for the past couple of years without any major issues. However, since last week (September 26), we have seen a spike in error events, indicating:
json
Copy code
{
"NSDebugDescription": "Caller is not running foreground.",
"NSLocalizedDescription": "User interaction required."
}
We haven't made any code changes in the last couple of months. Is there any update regarding local authentication from Apple's side?
Hello,
I am using the prf extension for passkeys that is available since ios 18 and macos15.
I am using a fixed, hardcoded prf input when creating or geting the credentials.
After creating a passkey, i try to get the credentials and retrieve the prf output, which works great, but i am getting different prf outputs for the same credential and same prf input used in the following scenarios:
Logging in directly (platform authenticator) on my macbook/iphone/ipad i get "prf output X" consistently for the 3 devices
When i use my iphone/ipad to scan the qr code on my macbook (cross-platform authenticator) i get "prf output Y" consistently with both my ipad and iphone.
Is this intended? Is there a way to get deterministic prf output for both platform and cross-platform auth attachements while using the same credential and prf input?
How app knows that Require Face ID is enable for them?
How app knows that they active after successfully authenticate by iOS 18 Require Face ID feature?
If any app implement any Extension(In my case Action Extension and Autofill Credential provider) then how they extension knows that they active after successfully authenticate by iOS 18 Require Face ID feature?
is there any app notification or any api to help me out?
When a user swipes up to see the app switcher, I put a blocking view over my app so the data inside cannot be seen if you flick through the app switcher. I do this by checking if the scenePhase goes from .active to .inactive.
If the app goes into the background, scenePhase == .background so I trigger something that would force the user to authenticate with Face ID/Touch ID when the app is next brought to the foreground or launched.
However, this doesn't seem to work. The biometrics authentication is executed, but it just lets the user in without showing the Face ID animation. I put my finger over the sensors so it couldn't possibly be authenticating, but it just lets them in.
Here's a quick set of logs:
scenePhase == .inactive - User showed app switcher
scenePhase == .background - User swiped up fully, went to Home Screen
scenePhase == .inactive - User has tapped the app icon
scenePhase == .active - App is now active
authenticate() - Method called
authenticate(), authenticateViaBiometrics() == true - User is going to be authenticated via Face ID
// Face ID did not appear!
success = true - Result of calling `context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics` means user was authenticated successfully
error = nil - No error in the authentication policy
authenticate(), success - Method finished, user was authenticated
Here's the code:
print("authenticate(), authenticateViaBiometrics() == true - User is going to be authenticated via Face ID")
var error: NSError?
guard context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) else {
// Handle permission denied or error
print("authenticate(), no permission, or error")
authenticated = false
defaultsUpdateAuthenticated(false)
defaultsUpdateAuthenticateViaBiometrics(false)
return
}
context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: "Authenticate with biometrics") { (success, error) in
DispatchQueue.main.async {
print("success = \(success)")
print("error = \(String(describing: error?.localizedDescription))")
if(success) {
print("authenticate(), success")
authenticated = true
} else {
print("authenticate(), failure")
authenticated = false
}
}
}
This happens with or without the DispatchQueue... call.
My app is defined to work in single app mode.
Since iPhone 15 came out, I'm not able to use faceID on it.
Because iPhone15's faceID requires to momentarily go to the background and return to the foreground. But in single app mode, that is not possible.
Any iPhone below 15 works well.
How can I fix this issue? Is there a way to fix it? Is it maybe a bug?
My app already has an app lock system which includes text & biometric combinations. Now iOS 18 has introduced a passcode lock for every app. So if users want to enable the app lock provided by us (developer), we want to inform them that you have enabled the iOS-provided app lock, in addition to that do you want to allow app-specific lock? For this, developers want to know whether iOS-provided app lock is enabled.
-Rajdurai
On macOS, in the Apple Passwords app (currently inside Settings but soon to be it's own full fledged app in Sequoia) the user is presented with a screen requesting that they touch the fingerprint reader (see attached).
If we'd like to do something similar, e.g. unlock some sensitive/secure part of our app, by requesting the user touch the Touch ID sensor, but without doing the whole system prompt (LAContext.evaluatePolicy()), how can we do that?
Is that possible for mere mortal developers, and if not, why not?
I've implemented Face ID in my app to authenticate after the user is authenticated, so they don't have to sign in again to log into their account. However, it asks me to enter my iPhone's passcode instead of scanning my face. Is there any way to fix this? Is there something I have to add?
Hello, I am writing a macOS CLI application that holds cryptocurrency funds and uses Secure Enclave for security. I intend to create APIs so that other applications can create transactions from user's wallet in a secure way for the user.
I am using P256 curve and authenticating a transaction involves making a signature for a hash of transaction data. Currently, this is how the authentication box looks like:
However, this does not display any information about the transaction. If user is using my application, then I could display the information in the terminal. However, if some other CLI app wants to create transactions for the user, printing information in the terminal is insecure since a malicious app could override what is being printed.
I see a rich authentication UI in apple apps.
I wonder if there is a way to write UI for such applications. I would like to display some transaction information in the box instead of just "myapp needs to authenticate to continue". It would be great if there is a way to customize that text / add more text to it.
Hi,
I would like to know the guidelines or rules regarding the implementation of Local Authentication. My client requirements are:
After the user login in with username and password, reset password, it will then authorize face id or passcode to be able to access/navigate the app.
Subsequent access will also require face id or passcode to access the app.
Clicking app notifications when app is closed will require face id or passcode to access app.
Is this a proccess allowed by Apple?
Thanks
Is the method used to unlock an iOS device available to an app? We would like to require a step-up to MFA (in our app) if passcode was used and allow for single factor if Face ID was used.