LocalAuthentication

RSS for tag

Authenticate users biometrically or with a passphrase using LocalAuthentication.

LocalAuthentication Documentation

Posts under LocalAuthentication tag

24 results found
Sort by:
Post not yet marked as solved
29 Views

Integrate Passkey iCloud Keychain with other smartphone-based FIDO authenticator

Hi Developers, I am wondering how is it possible for other smartphone-based FIDO authenticators to use the same iCloud Keychain storage as Passkey does so those credentials can be used on non-apple devices too, and also on the smartphone at the same time. There are some other iOS authenticators that have implemented BLE and are working on all devices including Windows, but the problem is that those apps cannot support signing in to the website on the smartphone itself (neither in apps nor inside the browser) using the previously registered credential of 'cross-platform' type.
Asked
by sansei.
Last updated
.
Post not yet marked as solved
111 Views

Touch Id is missing from iOS simulator.

I am working on implementing the local authentication on my app so I have to test both Face Id and Touch Id from the simulator. Face Id is visible like below but unable to find out Touch Id option. I have checked on both iOS 13.00 simulator and iOS 14.00 simulator but Touch ID option is hidden in both simulator.
Asked
by binit_jha.
Last updated
.
Post not yet marked as solved
61 Views

Automate Authentication on Real device

Is there a way to automate Biometric Authentication on real devices? I already automated Touch ID & Face ID on the simulator, but I'm not able to provide proper authentication on a real device. Any tips?
Asked
by Jmiize.
Last updated
.
Post not yet marked as solved
257 Views

iOS 15 with FaceID authentication error when resetting FaceID

We use biometricID (faceID/touchID) authentication to access to a secret stored in keychain. We create the access control object with the biometryCurrentSet option as shown to make sure if FaceID / TouchID changes the entry should be invalidated. let secAccessControlObj = SecAccessControlCreateWithFlags(nil, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .biometryCurrentSet, accessControlError) Below is the set and get query, Set Query: [String(kSecClass): kSecClassGenericPassword,         String(kSecAttrAccount): group as AnyObject,         String(kSecAttrService): service as AnyObject,         String(kSecUseAuthenticationUI) : kSecUseAuthenticationUIAllow as AnyObject,         String(kSecAttrAccessControl) : secAccessControlObj,         String(kSecValueData) : value as AnyObject,         String(kSecAttrCreationDate) : Date() as AnyObject] Get Query: [String(kSecClass): kSecClassGenericPassword,         String(kSecAttrAccount): group as AnyObject,         String(kSecAttrService): service as AnyObject,         String(kSecUseAuthenticationUI) : kSecUseAuthenticationUIAllow as AnyObject,         String(kSecAttrAccessControl) : secAccessControlObj,         String(kSecValueData) : value as AnyObject,         String(kSecAttrCreationDate) : Date() as AnyObject] Steps: Set the value in keychain using the set query above Reset the faceID Use the get query to get the value from keychain by authenticating against TouchID/ FaceID. Result: When we try to get the value from keychain using SecItemCopyMatching(query as CFDictionary, result) we get the error code errSecAuthFailed (-25293) on iOS 15. Analysis: Prior to this (iOS 14 and below) the error code would be errSecItemNotFound which makes more sense. This is an issue for iOS 15 only as we also get errSecAuthFailed when user backgrounds the app while authenticating with FaceID/TouchID. This creates a ambiguity for us. In our testing when we backgrounded the app while authentication is in progress, we found the actual call to SecItemCopyMatching(::) was made when app's state was actually active but when the call returned the state had become background and the error code was again errSecAuthFailed This seems to be a bug with iOS 15 as it creates a ambiguity for the caller. I think the error code returned after resetting faceID should still be errSecItemNotFound in which case we can know the secret is actually lost since FaceID is reset and can treat errSecAuthFailed as error where the secret is actually not lost but just that failed temporarily. Please let us know if we need to file a bug
Asked
by axp9103.
Last updated
.
Post not yet marked as solved
327 Views

Bug: applicationWillResignActive notification firing two minutes after a Touch ID prompt while application is still active

Hello, We first noticed this on iOS 15 beta 4, and it is also happening on beta 5: after presenting a Touch ID prompt in our iOS app (and a fresh demonstration UIKit app) on an iPhone or iPad device with Touch ID enabled and running iOS 15 beta, about two minutes later we receive an additional UIApplicationWillResignNotification while the application is still active. It then happens again, another ~2 minutes later. As a result, any application that uses this notification to prepare for state restoration or to conceal or lock the UI will interrupt the user to prepare for resigning active, while the application is still active, two minutes after prompting the user for Touch ID authentication. I have filed a report in Feedback Assistant (FB9457094), but I thought I would post here as well in case anybody else is seeing the same behavior and has a work-around. Feedback Assistant tells me there are currently no other similar reports. Sample project to show the bug: https://github.com/billymeltdown/resign-active-test/ The SceneDelegate logs a message when the application resigns active. When the Touch ID prompt is presented, the app resigns active as expected, that's not a bug. Then wait two minutes -- it will happen again! (And then again, two minutes after that.) (Not demonstrable on Simulator -- so far I've only seen the bug after prompting for Touch ID which requires running on a Touch ID enabled device.)
Asked Last updated
.
Post marked as solved
576 Views

Unknown CryptoTokenKit error encountered during SecKeyCreateSignature() with Secure Enclave private key

Hello. We have encountered a failure that we haven't seen before regarding use of Secure Enclave private keys and creating cryptographic signatures. We've used this code on thousands of iOS devices (from iOS 11.2 to iOS 14.6) without issue, and recently saw an error that we were not able to find documentation for. We are hoping to find out more details about the failure so that we can avoid it in the future. Steps to Reproduce On an iPhone 11 Pro running iOS 14.4.2, generate a private key in the Secure Enclave via SecKeyCreateRandomKey() with the following parameters. [ kSecAttrTokenID: kSecAttrTokenIDSecureEnclave, kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: 256, kSecPrivateKeyAttrs: [ kSecAttrAccessControl: SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, [.touchIDAny, .privateKeyUsage], nil )!, kSecAttrIsPermanent: true ], kSecAttrApplicationLabel: "unique label" // a customer identifier ] (Note that app is using deployment target of iOS 11.2, thus the use of .touchIDAny). Fetch the aformentioned key with SecItemCopyMatching(…) with the following parameters: [ kSecClass: kSecClassKey, kSecAttrKeyType: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits: 256, kSecReturnRef: true, kSecUseOperationPrompt: "Verify your identity", kSecAttrApplicationLabel: "unique label" // a customer identifier ] Create a signature of a CFData by with the key from step #2: var error: Unmanaged<CFError>? let signature = SecKeyCreateSignature(key, .ecdsaSignatureMessageX962SHA256, data, &error) Expected Result The customer is prompted for Face ID, passes, and SecKeyCreateSignature(…) successfully returns a signature. Note that this method successfully works for us on thousands of devices, from iOS 11.2 to iOS 14.6. Actual Result In a rare isolated case, we are seeing the SecItemCopyMatching(…) succeed and then the SecKeyCreateSignature(…) call fails to display the Face ID prompt. Instead, SecKeyCreateSignature(…) immediately fails and populates an error with the following information: domain: CryptoTokenKit code: -3 localizedDescription: The operation couldn’t be completed. (CryptoTokenKit error -3.) description: "<sepk:p256 kid=1214c04d05261ee3>: unable to sign digest" UserInfo={NSDebugDescription=<sepk:p256 kid=1214c04d05261ee3>: unable to sign digest, AKSError=-536362999} On this particular iPhone 11 Pro device, the customer did not have any issues with this code around 6 months prior to the failure. The customer has more recently encountered the failure, and we have confirmed the device fail to create signatures 100% of the time with the above error. We have asked the customer to reboot the device to no avail, and we have confirmed that Face ID does indeed successfully work on the device's lock screen. The failure still continues. Additional Notes We are not able to find any information about this specific failure from the documentation or additional research on the web. We were able to deduce that that CryptoTokenKit error -3 maps to TKErrorCodeCorruptedData. In the documentation of TKErrorCodeCorruptedData, it is unclear if the corruption is referring to the private key or or to the dataToSign parameter of SecKeyCreateSignature(). Do you have any insight into why/when this error is returned, and how might we avoid it in the future? Thank you.
Asked
by spindel.
Last updated
.
Post not yet marked as solved
320 Views

Will ID Cards be disabled when Face ID is changed?

I'm excited about the new ID card capabilities such as drivers licenses in iOS 15, coming later this year. If I understand correctly from the session, a "selfie" is part of the ID Proofing process. This step effectively ties the ID card user to the iPhone user. But what happens if, say, I later remove my Face ID biometric, and enroll someone else? Is my ID still on the device? Or does the act of removing Face ID also disable the ID card? I think that would be best, but just not clear how it is intended to work. This is not an idle question. It has real implications, such as: Teenage family members "borrowing" an adult's phone EPCS regulations in healthcare with replaceable biometric stores Thank you!
Asked Last updated
.
Post not yet marked as solved
221 Views

Application is crashing while trying to login with Face id during zoom sharing

hello, I am developing an application which allows to login with biometrics. There was a case when a user is trying to login with face id while sharing the screen over the zoom. (iphone 11, ios 13.5 ) App seems freezing, so user can't even input login credentials, afterwards crash... Is there any apple privacy rules to hide login details in sharing mode? p.s I don't have any crash logs. this behaviour happens once in the user side.
Asked
by ZHkh.
Last updated
.
Post not yet marked as solved
278 Views

How to test correct behaviour if passcode is set/unset

Hello! I need to write tests to see if my app behaves correctly when the device passcode is set or not set. I looked in the simctl documentation for commands to set/remove the passcode, but couldn't find anything about it. Is there any other way to control this in (integration) tests? Thanks Niels
Asked
by nco_sec.
Last updated
.
Post not yet marked as solved
483 Views

Sign in with Apple + Face/Touch ID + NodeJS/PassportJS

Hey there, I'm currently developing an iOS app that communicates to a NodeJS server as a backend. The server uses passport.js as an authentication middleware to allow users to login and authenticate requests to the server. I want to implement "Sign in with Apple" functionality to allow users to sign in with their existing Apple ID and I found a few passport plugins to support this functionality. My question is, is it possible to integrate Touch/Face ID with this login/authentication flow? The desired outcome I'm looking for is:user presses "Sign in with Apple" button --> iOS app prompts them with Touch/FaceID modal --> on success user account is created if it doesn't exist and/or user is logged in and iOS client receives a token or cookie for subsequent requests (the logic for this would be handled server side via passport) The closest I've come to the desired outcome is the user presses "Sign in with Apple" button which opens a web view containing the Apple's sign in web page which then prompts them to log in with Touch ID (I do not have a Face ID device handy to test if it works here so if someone could clarify this, then it would be helpful) and on success, the user is redirected to the iOS app via deep linking. Is there a way to achieve this without using a web view that takes the user out of the main app? The other option I've seen is to set up my own username/password along with JWT and reset tokens and then store those credentials into the keychain to drop the need for a web view redirect, which certainly works, but I would prefer to use Apple's authentication server versus having to handle storing sensitive data on my own. Thanks in advance for any help!
Asked
by aman06.
Last updated
.
Post marked as solved
265 Views

Is it possible to detect if an Apple Watch has a passcode set?

I need to know if an Apple Watch user has a passcode set before we can show sensitive data in a View. Is there a way to check for this? LAPolicy is unavailable on the Watch and I cannot check deviceOwnerAuthenticationWithWatch from a paired phone only from a Mac.
Asked
by pawpoise.
Last updated
.
Post marked as solved
651 Views

how to prompt for and require ADMIN username &amp; password

I'm developing a macOS app that will usually be running in a non-admin user environment. But I have a screen of the app that I would like to secure so as to make it only accessible to admin users (think: parents). I can't figure out what API I'm supposed to use to prompt for specifically an ADMIN user. I've tried googling a ton, but I must be trying the wrong search terms, because I can't find anything. The API for LAContext() is almost what I want, I can get it to prompt for a password, but it seems to ONLY work for the current logged in user. I can't find a policy type that allows me to specify something like .adminUserAuthentication. It seems like LAContext() was not meant for this use case. But then, what is the right API to call to do this? Can someone point me in the right direction? I don't want to limit myself to this only working for supervised users, or users with parental controls turned on, I would like a generic solution. I've seen apps that prompt for admin credentials on regular non-admin users, so it must be possible, right?
Asked
by jaredh159.
Last updated
.
Post marked as solved
328 Views

How to identify that the user is logged in using touch Id from an authorization plug in?

I have an Authorization plug-in where it invokes 2FA for every login, but I want to skip the 2FA if the user logs in using Touch ID. But how to identify that the user is logged in using touch ID? I could call canEvaluatePolicy but somehow it is not working on the lock screen. Is there a way that I can differentiate between password and Touch ID(Biometric) log-in on the lock screen?
Asked Last updated
.
Post not yet marked as solved
459 Views

how to enable password webauthn on mac

Good morning I want to use FIDO2 using a desktop mac. I'm trying to use the Mac's built-in authenticator (called platform authentication) through FIDO2's WebauthnAPI. Desktop mac doesn't have TouchID, so I want to use FIDO2 with password. As far as I know, FIDO2 can be used through the built-in TouchID or password on the MacBook with TouchBar. Is there a way to use FIDO2 as a password on a desktop mac that doesn't provide TouchID? Mac mini (M1, 2020) does not have TouchID, but I have confirmed that FIDO2 can be used with password. I checked with the method below. 1) Access the test page Please access the link below at https:// (webauthnsample.azurewebsites.net) 2) Click the "Register" button 3) The platform authentication supported by Mac are displayed. Question) Is there a way to use FIDO2 as a password on a desktop mac that does not provide TouchID? Is there any information that defines the scope of support whether it is possible to use the password in mac (when using FIDO2)?
Asked
by userson.
Last updated
.
Post not yet marked as solved
415 Views

Touch and Face ID in SwiftUI

Hello Is there a way to know if the detected finger or face are wrong? I am using this function: func authenticate() { let context = LAContext() var error: NSError? if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &amp;error) { let reason = "We need to unlock your data." context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: reason) { success, authenticationError in DispatchQueue.main.async { if success { self.isUnlocked = true } else { userPressedCancel = false } } } } else { } }
Asked
by Jad-T.
Last updated
.