I want to store user credentials securely in the iOS Keychain, but I only want the user to be able to use their fingerprint to retrieve the Keychain item. Is there a workflow for calling the Touch ID sensor to retrieve Keychain items with the ability to dismiss the passcode unlock or without falling back to the passcode at all?
I have implemented the methods defined in the WWDC session on Touch ID and Keychain, but I do not want to fall back on the device passcode like they do in their demo. I want the user to sign in traditionally once the fingerprint scan has failed.
@kishikawa-katsumi is right, in iOS 8 there is no way to disable passcode fallback. The kSecAccessControlUserPresence
access control flag makes an item accessible after either Touch ID or Passcode authentication succeeds and it even doesn't require Touch ID to be available.
But this has been improved in iOS 9. Two Touch ID-related flags, kSecAccessControlTouchIDAny
and kSecAccessControlTouchIDCurrentSet
, have been added .
So, you need to use either of these two flags when creating access control object for Keychain item (with SecAccessControlCreateWithFlags
function) and assign that object to kSecAttrAccessControl
attribute when adding the item with SecItemAdd
function.
There is an example from Apple that demonstrates this; see addTouchIDItemAsync
method. Also, see this post for an overview of other security-related changes in iOS 9.
You can customize the "Enter Password" button using localizedFallbackTitle
property
LAContext *myContext = [[LAContext alloc] init];
myContext.localizedFallbackTitle = @"sign in traditionally";
If you want to remove the fallback button, just set the property like this
myContext.localizedFallbackTitle = @"";
无法在 Keychain TouchID 集成中使用密码禁用回退机制。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.