SecItemCopyMatching for Touch ID without passcode fallback

Question

I am using SecItemCopyMatching to fetch a keychain item protected by Touch ID.

However, if Touch ID unlocking fails (or the user selects \"Enter Passcod

Answer 1

We had similar dilemma while working on one of our in-production app. We realised that we need touch ID unlock as well as custom fallback mechanism (which requires server API for unlocking) which is stronger than 4 digit unlock password.

So, Let me try to explain how we achieve it. Similar is expectedly done by Apple for Appstore purchase and 1Password app.

Background:

Two mechanisms to integrate Touch ID:

1. Use Touch ID to access credentials stored in the keychain

   Issue:

   If a device has Touch ID as well, the preferred method is to authenticate with Touch ID and passcode is the backup mechanism

   No other fallback mechanism is permitted and Apple does not allow customisation of the fallback user interface

2. Use Touch ID to authenticate with the app directly (called Local Authentication)

   Issue:

   No permission is granted to store secrets into or retrieve secrets from the Secure Enclave

   Contrary to the keychain access case, Apple does not allow device passcode authentication as a backup Every application needs to provide its own fallback to handle failed Touch ID case with custom UI

Concern:

About storing sensitive information in the keychain:

We were tempted to use this approach but were taken aback by realising the only fallback for failing to authenticate with Touch ID is the device passcode. iOS users usually configure a four digit passcode, which is less secure than users custom passwords.

Facelifting examples:

Apple uses your iCloud account password [custom fallback mechanism] as a fallback mechanism for itunes store purchase if user fails to authenticate with Touch ID.

1Password app also has similar approach.

---

Conclusion

In our app we authenticate with Touch ID via LocalAuthentication, we use our 'app specific PIN unlock feature' or the client's password as the fallback mechanism.

We don't store the password on the device, failure to authenticate with Touch ID requires full authentication through servers API, if device does not have a PIN configured within app.

Sample code:

[self.laContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
               localizedReason:reason
                         reply:^(BOOL success, NSError *error) {
                             if (success)
                                 dispatch_async(dispatch_get_main_queue(), ^{ successBlock(); });
                             else
                                 dispatch_async(dispatch_get_main_queue(), ^{ fallbackBlock(error); });
                             self.laContext = nil;
                         }
];