Face ID write and read values from and into the keychain

Asked 12/9, 2017 at 20:15 Answered 29/9, 2017 at 22:28

I did understand how the Access with Touch ID's kSecAccessControlTouchIDAny in the framework KeychainAccess works but i couldn't figure out how to do this with Face ID in iOS 11. I couldn't find any documentation for solving it yet (Maybe the docs are not out yet?).

So i am seeking out to stackoverflow and ask: How to write values secured with Face ID to the keychain and how to copy them back?

An minimal example would be nice.

Macfarlane answered 12/9, 2017 at 20:15 Comment(5)

Apple has provided a non-keychain example but I imagine keychain would be the same; FaceID will be used automatically on iPhone X devices, TouchId on Other devices. There is no specific code required. – Steelworker 12/9, 2017 at 20:56

@Steelworker I've seen that example. I really wonder if it will work out of the box because the case is called ...TouchIDAny. It might be just a 1<<1 value processed by the OS. – Macfarlane 12/9, 2017 at 21:12

I imagine it would. The API was created before Face ID existed, so it couldn't refer to Face ID by name. I expect there may eventually be an update that references "BiometricId", but since FaceID replaces TouchID for ApplePay and device unlock it is logical to assume it will replace TouchID in other applications seamlessly – Steelworker 12/9, 2017 at 22:5

From forums.developer.apple.com/thread/86779 there's this comment from Apple employee: "FaceID does not work in the Xcode 9 GM due to a framework bug. For now the best thing to do is to test on an iPhone 8 and ensure everything works with Touch ID." – Greenbelt 21/9, 2017 at 18:46

@Greenbelt thanks for posting the link for that conversation here! Let’s hope we get more information soon. – Macfarlane 21/9, 2017 at 19:40

This appears to now work in Xcode 9.1 (since beta).

Testable with example here:

https://developer.apple.com/library/content/samplecode/KeychainTouchID/Introduction/Intro.html

Even though this example has not been updated for Face ID, it appears to work for storing keychain items protected by Face ID.

As discussed, this does not work in Xcode 9.0 GM.

Greenbelt answered 29/9, 2017 at 22:28 Comment(1)

The sample code works fine with Face ID if you add the key NSFaceIDUsageDescription to your info.plist. Then you won't get the warning alert "app has not been updated for Face ID". – Cheque 18/12, 2017 at 10:6

Looks like Apple has added Face ID support to the Local Authentication API, but not Keychain ACL yet.

What I'm planning on doing is using Local Authentication to trigger a Face ID prompt, then if that succeeds, access the keychain directly. Not as secure as the proper KeyChain ACL API that we have for Touch ID, but it's the best solution I've come up with so far.

https://developer.apple.com/documentation/localauthentication/localauthentication_constants?changes=latest_minor https://developer.apple.com/documentation/localauthentication/labiometrytype?changes=latest_minor

Azucenaazure answered 13/9, 2017 at 0:4 Comment(2)

I don't like the idea of giving the customer the feeling that we offer a higher security level and actually have a less secure data storage for his user specific data which need to be secured. The whole point of Face ID is to increase the level of security and this "workaround" is a lot less secure then. – Macfarlane 13/9, 2017 at 5:44

Just a follow up on this - Apple has released a security doc which states: "Keychain items can also be protected with Face ID, to be released by the Secure Enclave only by a facial match or the device passcode. ". See images.apple.com/business/docs/FaceID_Security_Guide.pdf – Azucenaazure 27/9, 2017 at 20:2

Recommended topics

Hot tags