Touch ID for KeyChain without PIN return
I am working on integrating a touch id for my login app. since i am going to save the username and password to be used in the future by touch, i found that localAuthenticate would not work for me and i have to use the new ACL to access the keychain.
I got all the code to read / write to the keychain with a fine ACL. but I only see one option "kSecAccessControlUserPresence" for SecAccessControlCreateFlags in SecAccessControlCreateWithFlags (...). this allows the apple user documentation to fall back to the pin if they don't want to use the touch id. is there anyway to only allow access to these keys with touch id, and if it fails, the user has to manually enter the credentials?
I have other options, but I try to avoid them:
-
Option A: Use LocalAuthenticate and I'll encrypt my credentials in userdeafults, but I need to figure out where to store the key? any ideas?
-
Option B: Keep using ACL and keychain, but I have to figure out if you have if the user used a PIN or Touch ID. if they were using a touch id then i will use the information i got from the keychain to log in if they used pin and i will ask them again with LocalAuthenticate. if they canceled it i will not login, if they are verified with touch id then i will use the credentials from the keychain to login.
UPDATE: Just in case someone asked why I don't want a PIN, our lawyers disagreed with the concept of a four digit PIN to access their keychain where we store passwords.
source to share
This is now available on iOS 9:
-
kSecAccessControlTouchIDCurrentSet
- "Touch ID from the set of currently registered fingers. Touch ID must be available and at least one finger must be registered. When fingers are added or removed, the item is invalid." -
kSecAccessControlTouchIDAny
- "Touch ID (any finger). Touch ID must be accessible and at least one finger must be enrolled. The item is still accessible with Touch ID even if fingers are added or removed."
source to share