iOS Biometric Authentication Implementation when biometric is added

Current Setup:

  • Using Secure Enclave with userPresence access control
  • Foreground keychain accessibility: whenPasscodeSetThisDeviceOnly

Security Requirement: Our security group wants us to invalidate biometrics and require a username/password if a biometric item is added (potentially by a hostile 3rd party)

Need to upgrade from userPresence to biometricCurrentSet to ensure re-authentication when biometric credentials change.

Issue: After implementing biometricCurrentSet, authentication cancels after two failed biometric attempts instead of falling back to passcode.

Current Detection Method:

  1. User completes initial biometric authentication
  2. Biometric changes occur (undetectable by app)
  3. App attempts Secure Enclave access
  4. Access denial triggers re-authentication requirement
  5. Cannot revoke refresh token after access is denied

Security Concern: Current implementation allows new biometric enrollments to access existing authenticated sessions without re-verification.

Question: What's the recommended approach to:

  1. Implement biometricCurrentSet while maintaining passcode fallback
  2. Properly handle refresh token invalidation when biometric credentials change

Looking for guidance on best practices for implementing these security requirements while maintaining good UX.

iOS Biometric Authentication Implementation when biometric is added
 
 
Q