1

I'm adding user authentication support to my app. The only requirement is that the user should be the owner of the device (the app doesn't access remote service and doesn't need to access keys in keychain).

I have read LocalAuthentication framework docs and done experiments. I know it's technically feasible to call LocalAuthentication API to authenticate user using touch/face id first and fall back to asking user to input device passcode if that fails.

However, among all the iOS apps I have used, I never see one that authenticates user like that (I mean, using device passcode). When I enable touch/face id authentication in those apps, all of them asked me to set a shorter and almost never used application-specific passcode first, which in my opinion is not only inconvenient but also insecure. I wonder why they don't just use device passcode? Is there a policy in Apple Store that doesn't allow this? Will my app be rejected for doing this? Thanks for any explanation.

UPDATE:

According to this article, using keychain is more secure than using LocalAuthentication because the former is a system level component and the latter is an application layer component. However, the article suggested using device passcode, instead of application-specific passcode, when accessing items in keychain.

It’s critical that developers set up access control on the keychain so that when users attempt to retrieve a secure item, they must authenticate with the device passcode (and therefore, Face ID when enabled).

rayx
  • 1,329
  • 10
  • 23
  • I googled about this and wasn't able to find any discussion about this topic except this one: https://stackoverflow.com/questions/46030483/how-to-customise-the-deviceownerauthentication-view-controller, which is unfortunately not helpful. – rayx May 08 '20 at 05:25
  • 1
    I wouldn't expect you would have any issue. That's what the local authentication framework is for. The reason other apps might get you to store another pin is that they can store that in the keychain with a setting that removes it if the biometrics are changed (ie someone adds a fingerprint or appearance). That way if someone tries to add their biometrics to your phone (which requires the passcode anyway) the pin will be invalidated and they won't get automatic access to that other app. – Paulw11 May 08 '20 at 06:52
  • Hi @Paulw11 Thanks for your replay. Were you referring to `kSecAccessControlApplicationPassword` flag which is used for protecting key in keychain? It's interesting to know that (I wasn't aware of it until you mentioned it. Thanks). But I doubt the iOS apps (e.g., Microsoft onedrive) on my phone use app-specific passcode that way, because although those apps do save key or password in keychain, they never prompt me to input app-specific passcode when they retrieve the key. The only use of that passcode is when I open the app, but that is optional because using touch/face id will suffice. – rayx May 08 '20 at 11:24
  • Still, I think your answer is very helpful. Do you think is there any chance that those app developers misused the feature or just followed an outdated convention that doesn't make sense any more? And if you like feel free to create an answer using that commit. I'd like to give you the reputation points :) – rayx May 08 '20 at 11:37
  • OneDrive and other Microsoft apps have a slightly different use of the pin code; Microsoft apps can be managed by InTune and the PIN code is used as an additional encryption key – Paulw11 May 08 '20 at 11:41
  • Thanks for the information. That's more complicated that I expected. Anyway I'm glad it's OK to just use `LocalAuthentication` for my app and it's not mandatory to introduce application-specific passcode. I'll come back and update the question when I successfully submit my app (hopefully in one month or so). – rayx May 08 '20 at 12:30

1 Answers1

2

Now that I have released my own app in App Store, I think I can give a definitive answer to my question. I actually asked two questions:

  1. Is it OK to use device passcode to authenticate user to an iOS app?

A: Yes. I did this in my app and the app was accepted by App Store.

  1. Why do most, if not all, apps introduce app specific passcode?

A: I'm not 100% sure about this. I think some apps do this because they save user credentials in keychain and wants to protect those data with app specific key code. For other apps, however, I suspect they don't use app specific code for anything.

rayx
  • 1,329
  • 10
  • 23