可以使用设备密码向 iOS 应用程序验证用户身份吗?
[英]Is it OK to use device passcode to authenticate user to an iOS app?
问题描述
I'm adding user authentication support to my app.
我正在向我的应用程序添加用户身份验证支持。 The only requirement is that the user should be the owner of the device (the app doesn't access remote service and doesn't need to access keys in keychain).唯一的要求是用户应该是设备的所有者(应用程序不访问远程服务,也不需要访问钥匙串中的密钥)。
I have read LocalAuthentication framework docs and done experiments.我已阅读LocalAuthentication框架文档并进行了实验。 I know it's technically feasible to call LocalAuthentication API to authenticate user using touch/face id first and fall back to asking user to input device passcode if that fails.我知道调用LocalAuthentication API 首先使用触摸/面部 id 对用户进行身份验证在技术上是可行的,如果失败则回退到要求用户输入设备密码。
However, among all the iOS apps I have used, I never see one that authenticates user like that (I mean, using device passcode ).但是,在我使用过的所有 iOS 应用程序中,我从未见过像这样对用户进行身份验证的应用程序(我的意思是,使用设备密码)。 When I enable touch/face id authentication in those apps, all of them asked me to set a shorter and almost never used application-specific passcode first, which in my opinion is not only inconvenient but also insecure.当我在这些应用程序中启用触摸/面部身份验证时,他们都要求我先设置一个较短且几乎从未使用过的应用程序专用密码,在我看来这不仅不方便而且不安全。 I wonder why they don't just use device passcode ?我想知道他们为什么不只使用设备密码? Is there a policy in Apple Store that doesn't allow this? Apple Store 中是否有不允许这样做的政策? Will my app be rejected for doing this?我的应用会因为这样做而被拒绝吗? Thanks for any explanation.感谢您的任何解释。
UPDATE :更新:
According to this article , using keychain is more secure than using LocalAuthentication because the former is a system level component and the latter is an application layer component.根据这篇文章,使用 keychain 比使用LocalAuthentication更安全,因为前者是系统级组件,后者是应用层组件。 However, the article suggested using device passcode , instead of application-specific passcode , when accessing items in keychain.但是,文章建议在访问钥匙串中的项目时使用设备密码,而不是特定于应用程序的密码。
It's critical that developers set up access control on the keychain so that when users attempt to retrieve a secure item, they must authenticate with the device passcode (and therefore, Face ID when enabled).
1 个解决方案
解决方案1
0 2020-07-02 09:46:09
Now that I have released my own app in App Store, I think I can give a definitive answer to my question.现在我已经在 App Store 中发布了自己的应用程序,我想我可以对我的问题给出一个明确的答案。 I actually asked two questions:我实际上问了两个问题:
- Is it OK to use device passcode to authenticate user to an iOS app?可以使用设备密码向 iOS 应用程序验证用户身份吗?
A: Yes.答:是的。 I did this in my app and the app was accepted by App Store.我在我的应用程序中执行了此操作,并且该应用程序被 App Store 接受。
- Why do most, if not all, apps introduce app specific passcode?为什么大多数(如果不是全部)应用程序都会引入应用程序特定密码?
A: I'm not 100% sure about this.答:我对此不是 100% 确定的。 I think some apps do this because they save user credentials in keychain and wants to protect those data with app specific key code.我认为某些应用程序这样做是因为它们将用户凭据保存在钥匙串中,并希望使用特定于应用程序的密钥代码来保护这些数据。 For other apps, however, I suspect they don't use app specific code for anything.然而,对于其他应用程序,我怀疑他们不会使用特定于应用程序的代码来做任何事情。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.