Since some time now, when users try to buy my App on the Mac App Store or want to start the trial, the system dialog to confirm the purchase is not working correctly. The dialog is sticking to the upper border of the screen behind the menubar and can‘t be moved. And - this is the real problem - users can not confirm the purchase, because the button (or Touch ID field) is not shown. Only the cancel button is there and clickable. Usually (where the arrow points) there is the Touch ID symbol, the password field or purchase button. Any ideas?

We generate Secure Enclave keys via SecKeyCreateRandomKey with kSecAttrTokenIDSecureEnclave on macOS. We need to prove to a remote server that the key is genuinely hardware-bound, not a software key claiming to be one. Is there any API on macOS for an app to obtain an Apple-signed certificate or attestation statement for such a Secure Enclave key, similar to how ASAuthorizationProviderExtensionLoginManager.attestKey() works within Platform SSO but available to general apps? Or other possible workaround for this? Thank you!

I have a question regarding Platform SSO and the use of Secure Enclave–backed keys with biometric policies. If we configure userSecureEnclaveKeyBiometricPolicy with userSecureEnclaveKey, my understanding is that the Secure Enclave key is protected by biometric authentication (e.g., Face ID / Touch ID). In this setup, during a login request that also refreshes the id_token and refresh_token, the assertion is signed using the userSecureEnclaveKey. My question is: Will this signing operation trigger a biometric prompt every time the assertion is generated (i.e., during login/token refresh) ?

We are using SecItemCopyMatching from LocalAuthentication to access the private key to sign a challenge in our native iOS app twice in a few seconds from user interactions. This was working as expected up until about a week ago where we started getting reports of it hanging on the biometrics screen (see screenshot below). From our investigation we've found the following: It impacts newer iPhones using iOS 26.1 and later. We have replicated on these devices: iPhone 17 Pro max iPhone 16 Pro iPhone 15 Pro max iPhone 15 Only reproducible if the app tries to access the private key twice in quick succession after granting access to face ID. Looks like a race condition between the biometrics permission prompt and Keychain private key access We were able to make it work by waiting 10 seconds between private key actions, but this is terrible UX. We tried adding adding retries over the span of 10 seconds which fixed it on some devices, but not all. We checked the release notes for iOS 26.1, but there is nothing related to this. Screenshot:

I'm using Secure Enclave to generate and use a private key like this: let access = SecAccessControlCreateWithFlags(nil, kSecAttrAccessibleWhenUnlockedThisDeviceOnly, [.privateKeyUsage, .biometryAny], nil) let attributes: [String: Any] = [ kSecAttrKeyType as String: kSecAttrKeyTypeECSECPrimeRandom, kSecAttrKeySizeInBits as String: 256, kSecAttrTokenID as String: kSecAttrTokenIDSecureEnclave, kSecAttrAccessControl as String: access as Any, kSecAttrApplicationTag as String: "com.example.key".data(using: .utf8)!, kSecReturnRef as String: true ] let privateKey = SecKeyCreateRandomKey(attributes as CFDictionary, nil) Later, I use this key to sign a message: let signature = SecKeyCreateSignature(privateKey, .ecdsaSignatureMessageX962SHA256, dataToSign as CFData, nil) This prompts for biometric authentication, but shows the default system text. How can I customize or localize the biometric prompt (e.g., title, description, button text) shown during SecKeyCreateSignature? Thanks!

Hi, how can you authenticate a User through Biometrics with iPhone Passcode as Fallback in the Autofill Credential Provider Extension? In the App it works without a problem. In the Extension I get "Caller is not running foreground" Yeah, it isn't, as it's just a sheet above e.g. Safari. I'd like to avoid having the user setup a Passcode dedicated to my App, especially because FaceID is way faster. Does anybody know how to achieve iOS native Auth in the extension? Please let me know, a code sample would be appreciated. Regards, Mia

Current Setup: Using Secure Enclave with userPresence access control Foreground keychain accessibility: whenPasscodeSetThisDeviceOnly Security Requirement: Our security group wants us to invalidate biometrics and require a username/password if a biometric item is added (potentially by a hostile 3rd party) Need to upgrade from userPresence to biometricCurrentSet to ensure re-authentication when biometric credentials change. Issue: After implementing biometricCurrentSet, authentication cancels after two failed biometric attempts instead of falling back to passcode. Current Detection Method: User completes initial biometric authentication Biometric changes occur (undetectable by app) App attempts Secure Enclave access Access denial triggers re-authentication requirement Cannot revoke refresh token after access is denied Security Concern: Current implementation allows new biometric enrollments to access existing authenticated sessions without re-verification. Question: What's the recommended approach to: Implement biometricCurrentSet while maintaining passcode fallback Properly handle refresh token invalidation when biometric credentials change Looking for guidance on best practices for implementing these security requirements while maintaining good UX.

I wanted to add the above capability to my up was checking in Background mode, but no availability. How can I add it.

When using Apple's Journal app through iPhone Mirroring, the user is allowed to authenticate via TouchID on the Mac instead of requiring you to unlock your phone, authenticate and then re-lock it to access it again in iPhone Mirroring. Any other app that's using a call to authenticate via FaceID can't do this under iPhone Mirroring. Is there a new API call for this, or is it still a private API for Apple only?

I locked a few Apps like YouTube and my browser with the new App Lock feature from IOS 18 and all works well, if I want to access the app over the home screen. The problem appears if the app is closed completely and I open a link which gets opened in the locked app. Then the App lock gets bypassed and the app opens completely without authentication.

How app knows that Require Face ID is enable for them? How app knows that they active after successfully authenticate by iOS 18 Require Face ID feature? If any app implement any Extension(In my case Action Extension and Autofill Credential provider) then how they extension knows that they active after successfully authenticate by iOS 18 Require Face ID feature? is there any app notification or any api to help me out?

I've tried getting LAContext and checking it, but it says it canEvaluatePolicy returns false for any biometric policy.

My app already has an app lock system which includes text & biometric combinations. Now iOS 18 has introduced a passcode lock for every app. So if users want to enable the app lock provided by us (developer), we want to inform them that you have enabled the iOS-provided app lock, in addition to that do you want to allow app-specific lock? For this, developers want to know whether iOS-provided app lock is enabled. -Rajdurai

Hi, Is there some reference documentation about the properties of a CryptoKit SecureEnclave PrivateKey and its properties? Concretely, these are some of the questions that I wanted to find a (documented) answer on: Who can use a SecureEnclave.P256.*.PrivateKey if they have access to the dataRepresentation? I expect that the private key is bound to the specific secure enclave processor, but it also seems to be bound for the user that created the key (from observation by creating a PrivateKey without any access control). What if there's a restore from backup of the machine, will the private key still be usable? What does a SecureEnclave.P256.*.PrivateKey's dataRepresentation include? From observation, I'm assuming the dataRepresentation is a signed/encrypted blob that includes a unique ID (no 2 keys are the same), the access control settings (biometry required, passcode required, ...), some sort of version of the biometry (so it is be invalidated when the biometry changes). Is there anything else? I'm not interested in the actual encoding (which I understand is undocumented), but want to get an idea of what properties are included in the representation and e.g. can't change in the future. Answers to these questions could e.g. help make a decision how secure the private key's dataRepresentation needs to be kept (e.g. if it can only be used by myself, and i'm sure it will only ever be valid with the access control flags its representation contains, I could decide it's ok to have this key be in a public place) I tried looking for answers in some pieces of documentation, but couldn't immediately find the details I was looking for: The CryptoKit SecureEnclave documentation The Secure Enclave article The Protecting keys with the Secure Enclave article thanks! Remko

On macOS, in the Apple Passwords app (currently inside Settings but soon to be it's own full fledged app in Sequoia) the user is presented with a screen requesting that they touch the fingerprint reader (see attached). If we'd like to do something similar, e.g. unlock some sensitive/secure part of our app, by requesting the user touch the Touch ID sensor, but without doing the whole system prompt (LAContext.evaluatePolicy()), how can we do that? Is that possible for mere mortal developers, and if not, why not?

Hi, I'm looking for best practices for unlocking TouchID in a Mac app when using canEvaluatePolicy. Documentation says: Biometric authentication will get locked after 5 unsuccessful attempts. After that, users have to unlock it by entering their account password. The password can be entered either at login window or in the preference sheets or even in application by the means of LAPolicyDeviceOwnerAuthentication. The system unlock is preferred user experience because we generaly don't want users to enter their account password at application's request. So if we shouldn't manage Mac's password in the app, how to invite user to unlock ? Explaining he must lock/unlock the session or open any preference panel isn't a fluent experience and would definitely seems weird. I tried adding an 'Unlock' button in an alert and locking the screen automatically but this raises extras complexities: pmset can put the screen to sleep but won't lock in case of grace period sending an cmd-ctl-Q AppleEvent to System Events could fit but it depends on user acceptance for AEs and fails when System Events isn't running. Any ideas ?

Hi, We're using SecKeyCreateRandomKey to generate a random key with access control kSecAttrAccessControl key set to `kSecAccessControlTouchIDAny' using below code SecAccessControlCreateWithFlags( kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlTouchIDAny | kSecAccessControlPrivateKeyUsage, &error) Now, while accessing the key with below code, we're not seeing any biometric prompt on simulator where as the biometric prompt is shown in all physical devices and the key is returned only on successful authentication with FaceID (or) Touch ID. Can someone please help to understand why the behaviour is different in simulators NSDictionary *privateKeySearchQueryParam = @{ (id)kSecClass: (id)kSecClassKey, (id)kSecAttrKeyType: (id)kSecAttrKeyTypeEC, (id)kSecAttrLabel: keyName, (id)kSecReturnRef: @YES };

Hello, we trying to develop passwordless flow in the browser, but when we invoke navigator.credentials.create, it resolves an empty object {}. We acquired options from StrongKey server and parsed them in navigator options as was shown on wwdc20-10670 demo. An excerpt of source code is below: { 		publicKey: { 				rp: {name: queryParams.rpName}, 				user: { 						name: queryParams.userName, 						id: toUint8Array(queryParams.userId), 						displayName: queryParams.displayName 				}, 				pubKeyCredParams: [{type: "public-key", alg: -7}], 				challenge: toUint8Array(queryParams.challenge), 				authenticatorSelection: {authenticatorAttachment: "platform",}, 				attestation: "direct" 		} } The user is requested to proceed with TouchID/FaceID/etc. and everything looks as expected, but the returned value is empty. We have tested the flow in the latest Chrome, Safari and Safari for iOS. Has anyone encountered this behavior as well?

I am creating a react app and am making use of Webauthn to use TouchID or FaceID for user authentication. I have built my app so that when the button is clicked, navigator.credentials.create is the only call made. With attestation set to none, there are no issues however as soon as I set attestation to direct I get an alert saying 'The operation can't be completed' and 'NotAllowedError: This request has been cancelled by the user.' is logged to console. The issue only presents itself on Safari and iOS devices however works perfectly on other browsers like Chrome. Has anyone encountered a similar issue and possibly know how to resolve it? Thanks Shay

I'd like to display a list of Keychain items using Touch ID when focusing on a text field, as shown in the image below. I've looked through the documentation but couldn't find an API that can produce the desired effect as shown in the image. It seems to me that there isn't an API for this and I would need to implement it manually. However, I'm wondering if there might be an API that I'm not aware of. References: https://developer.apple.com/documentation/localauthentication , https://developer.apple.com/documentation/localauthenticationembeddedui/laauthenticationview