Current Setup:
Using Secure Enclave with userPresence access control
Foreground keychain accessibility: whenPasscodeSetThisDeviceOnly
Security Requirement:
Our security group wants us to invalidate biometrics and require a username/password if a biometric item is added (potentially by a hostile 3rd party)
Need to upgrade from userPresence to biometricCurrentSet to ensure re-authentication when biometric credentials change.
Issue:
After implementing biometricCurrentSet, authentication cancels after two failed biometric attempts instead of falling back to passcode.
Current Detection Method:
User completes initial biometric authentication
Biometric changes occur (undetectable by app)
App attempts Secure Enclave access
Access denial triggers re-authentication requirement
Cannot revoke refresh token after access is denied
Security Concern:
Current implementation allows new biometric enrollments to access existing authenticated sessions without re-verification.
Question:
What's the recommended approach to:
Implement biometricCurrentSet while maintaining passcode fallback
Properly handle refresh token invalidation when biometric credentials change
Looking for guidance on best practices for implementing these security requirements while maintaining good UX.
Touch ID
RSS for tagSecurely unlock devices, authenticate purchases, sign in to apps, and more with fingerprint recognition using Touch ID.
Posts under Touch ID tag
9 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
I wanted to add the above capability to my up was checking in Background mode, but no availability. How can I add it.
When using Apple's Journal app through iPhone Mirroring, the user is allowed to authenticate via TouchID on the Mac instead of requiring you to unlock your phone, authenticate and then re-lock it to access it again in iPhone Mirroring.
Any other app that's using a call to authenticate via FaceID can't do this under iPhone Mirroring. Is there a new API call for this, or is it still a private API for Apple only?
I locked a few Apps like YouTube and my browser with the new App Lock feature from IOS 18 and all works well, if I want to access the app over the home screen. The problem appears if the app is closed completely and I open a link which gets opened in the locked app. Then the App lock gets bypassed and the app opens completely without authentication.
How app knows that Require Face ID is enable for them?
How app knows that they active after successfully authenticate by iOS 18 Require Face ID feature?
If any app implement any Extension(In my case Action Extension and Autofill Credential provider) then how they extension knows that they active after successfully authenticate by iOS 18 Require Face ID feature?
is there any app notification or any api to help me out?
I've tried getting LAContext and checking it, but it says it canEvaluatePolicy returns false for any biometric policy.
My app already has an app lock system which includes text & biometric combinations. Now iOS 18 has introduced a passcode lock for every app. So if users want to enable the app lock provided by us (developer), we want to inform them that you have enabled the iOS-provided app lock, in addition to that do you want to allow app-specific lock? For this, developers want to know whether iOS-provided app lock is enabled.
-Rajdurai
Hi,
Is there some reference documentation about the properties of a CryptoKit SecureEnclave PrivateKey and its properties?
Concretely, these are some of the questions that I wanted to find a (documented) answer on:
Who can use a SecureEnclave.P256.*.PrivateKey if they have access to the dataRepresentation? I expect that the private key is bound to the specific secure enclave processor, but it also seems to be bound for the user that created the key (from observation by creating a PrivateKey without any access control). What if there's a restore from backup of the machine, will the private key still be usable?
What does a SecureEnclave.P256.*.PrivateKey's dataRepresentation include? From observation, I'm assuming the dataRepresentation is a signed/encrypted blob that includes a unique ID (no 2 keys are the same), the access control settings (biometry required, passcode required, ...), some sort of version of the biometry (so it is be invalidated when the biometry changes). Is there anything else? I'm not interested in the actual encoding (which I understand is undocumented), but want to get an idea of what properties are included in the representation and e.g. can't change in the future.
Answers to these questions could e.g. help make a decision how secure the private key's dataRepresentation needs to be kept (e.g. if it can only be used by myself, and i'm sure it will only ever be valid with the access control flags its representation contains, I could decide it's ok to have this key be in a public place)
I tried looking for answers in some pieces of documentation, but couldn't immediately find the details I was looking for:
The CryptoKit SecureEnclave documentation
The Secure Enclave article
The Protecting keys with the Secure Enclave article
thanks!
Remko
On macOS, in the Apple Passwords app (currently inside Settings but soon to be it's own full fledged app in Sequoia) the user is presented with a screen requesting that they touch the fingerprint reader (see attached).
If we'd like to do something similar, e.g. unlock some sensitive/secure part of our app, by requesting the user touch the Touch ID sensor, but without doing the whole system prompt (LAContext.evaluatePolicy()), how can we do that?
Is that possible for mere mortal developers, and if not, why not?