11

I did understand how the Access with Touch ID's kSecAccessControlTouchIDAny in the framework KeychainAccess works but i couldn't figure out how to do this with Face ID in iOS 11. I couldn't find any documentation for solving it yet (Maybe the docs are not out yet?).

So i am seeking out to stackoverflow and ask: How to write values secured with Face ID to the keychain and how to copy them back?

An minimal example would be nice.

rmaddy
  • 314,917
  • 42
  • 532
  • 579
bemeyer
  • 6,154
  • 4
  • 36
  • 86
  • 1
    Apple has provided a [non-keychain example](https://developer.apple.com/documentation/localauthentication/) but I imagine keychain would be the same; FaceID will be used automatically on iPhone X devices, TouchId on Other devices. There is no specific code required. – Paulw11 Sep 12 '17 at 20:56
  • @Paulw11 I've seen that example. I really wonder if it will work out of the box because the case is called `...TouchIDAny`. It might be just a `1<<1` value processed by the OS. – bemeyer Sep 12 '17 at 21:12
  • 1
    I imagine it would. The API was created before Face ID existed, so it couldn't refer to Face ID by name. I expect there may eventually be an update that references "BiometricId", but since FaceID replaces TouchID for ApplePay and device unlock it is logical to assume it will replace TouchID in other applications seamlessly – Paulw11 Sep 12 '17 at 22:05
  • 2
    From https://forums.developer.apple.com/thread/86779 there's this comment from Apple employee: "FaceID does not work in the Xcode 9 GM due to a framework bug. For now the best thing to do is to test on an iPhone 8 and ensure everything works with Touch ID." – Daniel Sep 21 '17 at 18:46
  • 1
    @Daniel thanks for posting the link for that conversation here! Let’s hope we get more information soon. – bemeyer Sep 21 '17 at 19:40

2 Answers2

5

This appears to now work in Xcode 9.1 (since beta).

Testable with example here:

https://developer.apple.com/library/content/samplecode/KeychainTouchID/Introduction/Intro.html

Even though this example has not been updated for Face ID, it appears to work for storing keychain items protected by Face ID.

As discussed, this does not work in Xcode 9.0 GM.

Daniel
  • 8,794
  • 4
  • 48
  • 71
  • 1
    The sample code works fine with Face ID if you add the key NSFaceIDUsageDescription to your info.plist. Then you won't get the warning alert "app has not been updated for Face ID". – Dorian Roy Dec 18 '17 at 10:06
3

Looks like Apple has added Face ID support to the Local Authentication API, but not Keychain ACL yet.

What I'm planning on doing is using Local Authentication to trigger a Face ID prompt, then if that succeeds, access the keychain directly. Not as secure as the proper KeyChain ACL API that we have for Touch ID, but it's the best solution I've come up with so far.

https://developer.apple.com/documentation/localauthentication/localauthentication_constants?changes=latest_minor https://developer.apple.com/documentation/localauthentication/labiometrytype?changes=latest_minor

m0ng0
  • 67
  • 3
  • 3
    I don't like the idea of giving the customer the feeling that we offer a higher security level and actually have a less secure data storage for his user specific data which need to be secured. The whole point of Face ID is to increase the level of security and this "workaround" is a lot less secure then. – bemeyer Sep 13 '17 at 05:44
  • 2
    Just a follow up on this - Apple has released a security doc which states: "Keychain items can also be protected with Face ID, to be released by the Secure Enclave only by a facial match or the device passcode. ". See https://images.apple.com/business/docs/FaceID_Security_Guide.pdf – m0ng0 Sep 27 '17 at 20:02