Biometrics prompt + private key access race condition on since iOS 26.1

Question

Created 3w

Replies 3

Boosts 0

Participants 2

We are using SecItemCopyMatching from LocalAuthentication to access the private key to sign a challenge in our native iOS app twice in a few seconds from user interactions.

This was working as expected up until about a week ago where we started getting reports of it hanging on the biometrics screen (see screenshot below).

From our investigation we've found the following:

It impacts newer iPhones using iOS 26.1 and later. We have replicated on these devices:
- iPhone 17 Pro max
- iPhone 16 Pro
- iPhone 15 Pro max
- iPhone 15
Only reproducible if the app tries to access the private key twice in quick succession after granting access to face ID.
- Looks like a race condition between the biometrics permission prompt and Keychain private key access
We were able to make it work by waiting 10 seconds between private key actions, but this is terrible UX.

We tried adding adding retries over the span of 10 seconds which fixed it on some devices, but not all.

We checked the release notes for iOS 26.1, but there is nothing related to this.

Screenshot:

Screenshot 2026-01-30 at 09.42.13.png

Boost

Answer 1

DTS Engineer OP

Apple

2w

So you’re seeing this on iOS 26.2 as well?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

smjkrk OP

1w

@DTS Engineer correct

0

Answer 3

DTS Engineer OP

Apple

1w

Well, that’s not good.

I suggest you retry this on the current 26.3 beta, just in case. Assuming the problem shows up there as well, you should file a bug about it. Make sure to include a sysdiagnose log taken shortly after reproducing the problem, ideally as soon as you see the fuzzy screen you showed in your screenshot.

Once you’re done, please post your bug number and I’ll take another look.

At the API level, one option you have is to create an LAContext and pass it in to each SecItemCopyMatching call via kSecUseAuthenticationContext. It’s not clear whether you’re doing that or not. Please confirm either way.

It’s also not clear if it’s even the right thing to do. This technique makes sense when the user performs a single high-level operation that requires multiple cryptographic operations with the same key. However, if the user performs two separate high-level operations back-to-back and that reproduces this issue, then trying to work around this using kSecUseAuthenticationContext isn’t really the right choice, because the user is expecting to authenticate twice.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0