Hi everyone,
I'm working on an app that stores multiple secrets in the Keychain, each protected with .userPresence.
My goal is to authenticate the user once via FaceID/TouchID and then read multiple Keychain items without triggering subsequent prompts.
I am reusing the same LAContext instance for these operations, and I have set:
context.touchIDAuthenticationAllowableReuseDuration = LATouchIDAuthenticationMaximumAllowableReuseDuration
However, I'm observing that every single SecItemCopyMatching call triggers a new FaceID/TouchID prompt, even if they happen within seconds of each other using the exact same context.
Here is a simplified flow of what I'm doing:
- Create a
LAContext. - Set
touchIDAuthenticationAllowableReuseDurationto max. - Perform a query (
SecItemCopyMatching) for Item A, passing[kSecUseAuthenticationContext: context].
Result: System prompts for FaceID. Success.
- Immediately perform a query (
SecItemCopyMatching) for Item B, passing the same[kSecUseAuthenticationContext: context].
Result: System prompts for FaceID again.
My question is:
Does the .userPresence access control flag inherently force a new user interaction for every Keychain access, regardless of the LAContext reuse duration? Is allowableReuseDuration only applicable for LAContext.evaluatePolicy calls and not for SecItem queries?
If so, is there a recommended pattern for "unlocking" a group of Keychain items with a single biometric prompt?
Environment: iOS 17+, Swift.
Thanks!