stackoom
  简体   繁体   中英

Is it OK to use device passcode to authenticate user to an iOS app?

 原文  2020-05-08 05:18:20       ios/ keychain/ localauthentication/ passcode

Question

I'm adding user authentication support to my app. The only requirement is that the user should be the owner of the device (the app doesn't access remote service and doesn't need to access keys in keychain).

I have read LocalAuthentication framework docs and done experiments. I know it's technically feasible to call LocalAuthentication API to authenticate user using touch/face id first and fall back to asking user to input device passcode if that fails.

However, among all the iOS apps I have used, I never see one that authenticates user like that (I mean, using device passcode ). When I enable touch/face id authentication in those apps, all of them asked me to set a shorter and almost never used application-specific passcode first, which in my opinion is not only inconvenient but also insecure. I wonder why they don't just use device passcode ? Is there a policy in Apple Store that doesn't allow this? Will my app be rejected for doing this? Thanks for any explanation.

UPDATE :

According to this article , using keychain is more secure than using LocalAuthentication because the former is a system level component and the latter is an application layer component. However, the article suggested using device passcode , instead of application-specific passcode , when accessing items in keychain.

It's critical that developers set up access control on the keychain so that when users attempt to retrieve a secure item, they must authenticate with the device passcode (and therefore, Face ID when enabled).

1 answers

solution1
 0  2020-07-02 09:46:09

Now that I have released my own app in App Store, I think I can give a definitive answer to my question. I actually asked two questions:

  1. Is it OK to use device passcode to authenticate user to an iOS app?

A: Yes. I did this in my app and the app was accepted by App Store.

  1. Why do most, if not all, apps introduce app specific passcode?

A: I'm not 100% sure about this. I think some apps do this because they save user credentials in keychain and wants to protect those data with app specific key code. For other apps, however, I suspect they don't use app specific code for anything.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Can you require that a user have a device passcode set for an iOS app? Is it possible on iOS to use the hardware encryption with the device key and an app specific passcode? How to use system build-in passcode screen to authenticate my App when user clicks Enter Password Is it possible to authenticate using only the passcode, even device has touch id capability in ios, swift Is it possible to use the device passcode as a form of validation in your private app? Is there a way to use Touch ID with the iOS Keychain but not prompt for the user passcode? Is it possible to detect when the passcode on an iOS device is modified? Is the iOS keychain encrypted without device passcode? Is testing an app with only an iOS 5 device and iOS 4 simulator OK? Force user to Set Passcode and Screen Timeout in iOS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM