Hey, I've been trying to pinpoint what is causing this crash, but I'm having troubles understanding the Apple Crash log. I understand that this crash is happening after the app is launched, because I know we call canEvaluatePolicy() and evaluatePolicy() when the login screen finished loading. But if you notice, the following error lines after that are not related to LocalAuthentication (or so I think), therefore I'm confused. Here's the log: Thread 0 Crashed: 0 libsystem_platform.dylib 0x0000000217f95fc4 _platform_strlen + 4 1 Foundation 0x00000001a803539c -[NSXPCEncoder _encodeInvocation:isReply:into:] + 132 (NSXPCCoder.m:456) 2 Foundation 0x00000001a800686c -[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:] + 1388 (NSXPCConnection.m:1506) 3 CoreFoundation 0x00000001a680270c ___forwarding___ + 1128 (NSForwarding.m:3618) 4 CoreFoundation 0x00000001a6801a60 _CF_forwarding_prep_0 + 96 5 LocalAuthentication 0x00000001dd83c6b4 __64-[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:]_block_invoke + 240 (LAClient.m:541) 6 LocalAuthentication 0x00000001dd83bc80 __47-[LAClient _performSynchronous:callId:finally:]_block_invoke + 584 (LAClient.m:441) 7 libdispatch.dylib 0x00000001a64d4a2c _dispatch_client_callout + 20 (object.m:560) 8 libdispatch.dylib 0x00000001a64e42d4 _dispatch_sync_invoke_and_complete + 56 (queue.c:1028) 9 LocalAuthentication 0x00000001dd83b9e8 -[LAClient _performSynchronous:callId:finally:] + 220 (LAClient.m:460) 10 LocalAuthentication 0x00000001dd83c57c -[LAClient evaluatePolicy:options:uiDelegate:synchronous:reply:] + 392 (LAClient.m:540) 11 LocalAuthentication 0x00000001dd842d48 -[LAContext _evaluatePolicy:options:log:cid:synchronous:reply:] + 472 (LAContext.m:340) 12 LocalAuthentication 0x00000001dd838364 -[LAContext _evaluatePolicy:options:log:cid:error:] + 284 (LAContext.m:387) 13 LocalAuthentication 0x00000001dd838090 -[LAContext canEvaluatePolicy:error:] + 304 (LAContext.m:533) 14 APIGuard 0x0000000101fbb144 0x101fac000 + 61764 15 APIGuard 0x0000000101fb99b8 0x101fac000 + 55736 16 CoreFoundation 0x00000001a67ff324 __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 28 (CFNotificationCenter.c:652) 17 CoreFoundation 0x00000001a689bac4 ___CFXRegistrationPost_block_invoke + 52 (CFNotificationCenter.c:173) 18 CoreFoundation 0x00000001a686ecc0 _CFXRegistrationPost + 456 (CFNotificationCenter.c:199) 19 CoreFoundation 0x00000001a681539c _CFXNotificationPost + 728 (CFNotificationCenter.c:1147) 20 Foundation 0x00000001a7fdc704 -[NSNotificationCenter postNotificationName:object:userInfo:] + 96 (NSNotification.m:560)

Hello everyone! I am developing an app and I would like to use biometrics (Face ID, Touch ID) to authenticate the user and I was wondering if adding this would require the app to be marked as using encryption? If so how would I go about this? Thanks!

Hey all 👋🏼 Is there any API change required for supporting the Touch ID sensor of an external Magic Keyboard with Touch ID (on a Mac with Apple silicon)? Currently we rely on canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics for checking if TouchID is present on a system, but this seems to be returning false when the laptop is closed/clamshell mode even with the Magic Keyboard with Touch ID connected to it. Any suggestions? The code snippet that we use for checking is: int isTouchIDAvailable() { int result = 0; bool success = [[[LAContext alloc] init] canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:nil]; if (success) { return 1; } return 0; }

Hi, I am developing an app which will auto assign a generated id to the user when using the app for the first time. So the user will not need to log in on a login screen. And this generated id will be used for the identification purpose when communicating to back-end server. is this acceptable by Apple? Thanks

Hello mates, I am having an issue while disabling user's biometry on iPhone 13 Pro Max. When I performs multiple failed recognition wrong attempts through Face ID, device Biometry does not get locked. I want to have some custom functionality after Biometry locking. This issue is only on iPhone 13 Pro Max whereas its working fine on physical iPhone 13 Pro. Had anyone this issue faced?. Any help would be appreciated. Thanks, Dawood gul

Hi, iOS 15.4 is bringing a new exciting security feature which allows users to enroll "masked face" so they can unlock their devices while wearing a mask. Some apps might leverage evaluatedPolicyDomainState (https://developer.apple.com/documentation/localauthentication/lacontext/1514150-evaluatedpolicydomainstate) to detect if the biometric state has changed, and if so, logging out/locking the user to protect their data. Looks like the masked-face enrolment changes the policy domain state as such it might lead to many unexpected logouts. Is there any way to detect if the change to the state was introduced by the masked face enrollment as such we can somehow retain the user's login session? Many thanks!

Is there any way to detect biometric type even if it is disabled on OS level. We are getting notEnrolledError when trying to read biometric type

I need to know if an Apple Watch user has a passcode set before we can show sensitive data in a View. Is there a way to check for this? LAPolicy is unavailable on the Watch and I cannot check deviceOwnerAuthenticationWithWatch from a paired phone only from a Mac.

Is there any way to store the biometric information/data points that faceid collects in your own database? I know it's possible to allow users to log in using faceID on their own phones, however, is it possible to leverage facial recognition and make it a feature in my app? For instance, allowing any user to log into my app on any iphone just by scanning their face...

We use biometricID (faceID/touchID) authentication to access to a secret stored in keychain. We create the access control object with the biometryCurrentSet option as shown to make sure if FaceID / TouchID changes the entry should be invalidated. let secAccessControlObj = SecAccessControlCreateWithFlags(nil, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, .biometryCurrentSet, accessControlError) Below is the set and get query, Set Query: [String(kSecClass): kSecClassGenericPassword,         String(kSecAttrAccount): group as AnyObject,         String(kSecAttrService): service as AnyObject,         String(kSecUseAuthenticationUI) : kSecUseAuthenticationUIAllow as AnyObject,         String(kSecAttrAccessControl) : secAccessControlObj,         String(kSecValueData) : value as AnyObject,         String(kSecAttrCreationDate) : Date() as AnyObject] Get Query: [String(kSecClass): kSecClassGenericPassword,         String(kSecAttrAccount): group as AnyObject,         String(kSecAttrService): service as AnyObject,         String(kSecUseAuthenticationUI) : kSecUseAuthenticationUIAllow as AnyObject,         String(kSecAttrAccessControl) : secAccessControlObj,         String(kSecValueData) : value as AnyObject,         String(kSecAttrCreationDate) : Date() as AnyObject] Steps: Set the value in keychain using the set query above Reset the faceID Use the get query to get the value from keychain by authenticating against TouchID/ FaceID. Result: When we try to get the value from keychain using SecItemCopyMatching(query as CFDictionary, result) we get the error code errSecAuthFailed (-25293) on iOS 15. Analysis: Prior to this (iOS 14 and below) the error code would be errSecItemNotFound which makes more sense. This is an issue for iOS 15 only as we also get errSecAuthFailed when user backgrounds the app while authenticating with FaceID/TouchID. This creates a ambiguity for us. In our testing when we backgrounded the app while authentication is in progress, we found the actual call to SecItemCopyMatching(::) was made when app's state was actually active but when the call returned the state had become background and the error code was again errSecAuthFailed This seems to be a bug with iOS 15 as it creates a ambiguity for the caller. I think the error code returned after resetting faceID should still be errSecItemNotFound in which case we can know the secret is actually lost since FaceID is reset and can treat errSecAuthFailed as error where the secret is actually not lost but just that failed temporarily. Please let us know if we need to file a bug

With the new feature enabled in ios beta 15.4, I can validate that faceID with mask works. We get a bool(matched/unmatched) response when using evaluatePolicy, which is not helpful in finding if faceid-with-mask was used. I want to disable the face id feature of the app when a non-secure way of authentication is enabled and I'm unable to find any documentation on this on LAPolicy's page. What would be the recommended way to go around finding if face id with mask is enabled? Any help with documentation would be appreciated. Thanks!

Hi there, Our Password Manager app on macOS allows a user to unlock their password database using Apple Watch for convenience. We check that Apple Watch is available for use by calling canEvaluatePolicy in the usual way. This works really well most of the time, if the Watch is available, we'll be able to call evaluatePolicy to have the user authenticate with their watch. However, we have been receiving reports that when their watches go to sleep our App incorrectly requests they authenticate with their watch. It does this because canEvaluatePolicy returns true, but once we call evaluatePolicy instead of requesting the user authenticate, we immediately get an error: Error Domain=com.apple.LocalAuthentication Code=-1 "AppleWatch authentication failed." UserInfo={NSDebugDescription=AppleWatch authentication failed., NSLocalizedDescription=Authentication failure.} Apparently though there is a way to detect this, the Apple User Login screen is able to detect that the watch is asleep and requests a password instead. Also System Preferences that require a password somehow can cause the Apple Watch to vibrate when asleep but then fails gracefully/falls back to requesting a password. As developers, we would like to know if we can request Apple Watch authentication using the canEvaluatePolicy function. If the watch is asleep, then that should we believe return false. Any help or pointers on how to detect this scenario appreciated.

I can't speak English well, so I used a translator. It has been completed up to checking whether the app is authorized or not using the current 'canEvaluatePolicy'. However, I want to check whether or not biometric authentication has been registered in the terminal, but I do not know which function to use. Please help.

My Safari Extension on iOS needs access to a Keychain item (password) that is secured by the userPresence and devicePasscode flag. In other words, FaceID/TouchID or the device PIN is necessary to access the password. Is there a way for the extension to access the password? SafariWebExtensionHandler.swift has access to the Keychain, but can't present FaceID/TouchID/device PIN interface to the user. Popup.js has UI access, but can't access the iOS Keychain. One hack is to set touchIDAuthenticationAllowableReuseDuration of the Keychain item to an arbitrary time and have the user authenticate in the containing app. However, in case of a time-out, the containing app has be opened by the extension with a custom URL scheme. openURL is not accessible in SafariWebExtensionHandler.swift either (I assume it can be handled by popup.js). This is a user-unfriendly solution. What is the best way to give the Safari extension access to a Keychain item?

Hi Developers, I am wondering how is it possible for other smartphone-based FIDO authenticators to use the same iCloud Keychain storage as Passkey does so those credentials can be used on non-apple devices too, and also on the smartphone at the same time. There are some other iOS authenticators that have implemented BLE and are working on all devices including Windows, but the problem is that those apps cannot support signing in to the website on the smartphone itself (neither in apps nor inside the browser) using the previously registered credential of 'cross-platform' type.

I am going to add safari extension in my app. I need biometric authentication for validate user. when I evaluate device owner authentication via Local Authentication then an error found. [Error Domain=com.apple.LocalAuthentication Code=-1004 "Caller is not running foreground." UserInfo={NSDebugDescription=Caller is not running foreground., NSLocalizedDescription=User interaction required.}] My Question is how may I force to safari extension to be in foreground to fix this issue? Or let me know if I can use any other way. Code: -(void)doBioMatricAuth{     context = [LAContext new];     context.localizedCancelTitle = @"Enter Username/Password";     if([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthentication error:nil]){         dispatch_async(dispatch_get_main_queue(), ^{             NSString *reason = @"Log in to your account";             [self->context evaluatePolicy:LAPolicyDeviceOwnerAuthentication localizedReason:reason reply:^(BOOL success, NSError * _Nullable error) {                 if(success) {                     NSLog(@"Biomatric success");                                      } else {                     NSLog(@"Biomatric Failed %@",error.localizedDescription);                 }             }];         });     } }

I am working on implementing the local authentication on my app so I have to test both Face Id and Touch Id from the simulator. Face Id is visible like below but unable to find out Touch Id option. I have checked on both iOS 13.00 simulator and iOS 14.00 simulator but Touch ID option is hidden in both simulator.

Is there a way to automate Biometric Authentication on real devices? I already automated Touch ID & Face ID on the simulator, but I'm not able to provide proper authentication on a real device. Any tips?

Hello, We first noticed this on iOS 15 beta 4, and it is also happening on beta 5: after presenting a Touch ID prompt in our iOS app (and a fresh demonstration UIKit app) on an iPhone or iPad device with Touch ID enabled and running iOS 15 beta, about two minutes later we receive an additional UIApplicationWillResignNotification while the application is still active. It then happens again, another ~2 minutes later. As a result, any application that uses this notification to prepare for state restoration or to conceal or lock the UI will interrupt the user to prepare for resigning active, while the application is still active, two minutes after prompting the user for Touch ID authentication. I have filed a report in Feedback Assistant (FB9457094), but I thought I would post here as well in case anybody else is seeing the same behavior and has a work-around. Feedback Assistant tells me there are currently no other similar reports. Sample project to show the bug: https://github.com/billymeltdown/resign-active-test/ The SceneDelegate logs a message when the application resigns active. When the Touch ID prompt is presented, the app resigns active as expected, that's not a bug. Then wait two minutes -- it will happen again! (And then again, two minutes after that.) (Not demonstrable on Simulator -- so far I've only seen the bug after prompting for Touch ID which requires running on a Touch ID enabled device.)