One FaceID for multiple operations in a short while

Privacy & Security General
akolio OP
Created May ’24
Replies 4
Boosts 0
Views 759
Participants 2

Hi,

Is this possible? I would like to:

  1. Store a biometrically secured key in the Secure Enclave.
  2. Do multiple cryptographic operations using that key in a short period of time (say 5 seconds), not all at once.
  3. Only do one FaceID for that set.

For the time I've only gotten either multiple flashing FaceId requests or the operations failing.

Is it possible to set a time limit in which the first FaceID authentication is accepted?

Should I do something else?

Thanks!

Answered by DTS Engineer in 802529022
We first use the device check attestation service (DCAppAttestService)

Oh, that’s definitely a wrinkle. App attest represents a different path into the SE, one that’s distinct from the usual keychain path. I’ve no idea how to make things work in that case.

Actually…

I’m gonna go further than that: I don’t think it’s currently possible to unify these requests and I recommend that you file a bug asking that we add such. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  4
Boosts  0
Views  759
Participants  2
DTS Engineer OP
Apple
May ’24

Is this possible?

Yes.

The trick is to attach the same LACContext to your biometric authentication and your keychain items. For the latter, use kSecUseAuthenticationContext. Its docs describe two different ways to approach this.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
akolio OP
Sep ’24

I didn't get to work on this problem for a while, but now I think I have pinpointed the root of our problem.

We first use the device check attestation service (DCAppAttestService) that does its thing with the Secure Enclave and then we do something else also with the Secure Enclave.

If I understand right, both the Apple attest service and our keychain code need to use the same LAContext to only prompt for one FaceID or Passcode?

The problem is, I do not know a way to tell the attest service what LAContext to use. It just takes in the keyId String.

DCAppAttestService > generateAssertion

Is there any way to make this work?

0
DTS Engineer OP
Apple
Sep ’24
Recommended
We first use the device check attestation service (DCAppAttestService)

Oh, that’s definitely a wrinkle. App attest represents a different path into the SE, one that’s distinct from the usual keychain path. I’ve no idea how to make things work in that case.

Actually…

I’m gonna go further than that: I don’t think it’s currently possible to unify these requests and I recommend that you file a bug asking that we add such. Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
akolio OP
Sep ’24

Thanks for confirming the findings! I filed a feedback report with the number: FB15077680

0
One FaceID for multiple operations in a short while
First post date Last post date
 
 
Q