Current Setup:
- Using Secure Enclave with userPresence access control
- Foreground keychain accessibility: whenPasscodeSetThisDeviceOnly
Security Requirement: Our security group wants us to invalidate biometrics and require a username/password if a biometric item is added (potentially by a hostile 3rd party)
Need to upgrade from userPresence to biometricCurrentSet to ensure re-authentication when biometric credentials change.
Issue: After implementing biometricCurrentSet, authentication cancels after two failed biometric attempts instead of falling back to passcode.
Current Detection Method:
- User completes initial biometric authentication
- Biometric changes occur (undetectable by app)
- App attempts Secure Enclave access
- Access denial triggers re-authentication requirement
- Cannot revoke refresh token after access is denied
Security Concern: Current implementation allows new biometric enrollments to access existing authenticated sessions without re-verification.
Question: What's the recommended approach to:
- Implement biometricCurrentSet while maintaining passcode fallback
- Properly handle refresh token invalidation when biometric credentials change
Looking for guidance on best practices for implementing these security requirements while maintaining good UX.