Menu
I’ve been successfully able to implement TouchID with keychain as well as Keychain Sharing (syncing keychain items between multiple devices) separately. When I try to do them both, I get an error “-50“ which is invalid parameters. From the below code, removing either kSecAttrAccessControl or kSecAttrSynchronizable works as expected.
Based on my experience (read - a few days of frustration) so far, and based on the capabilities of some keychain API simplification tools like UICKeychainStore, it seems like if I use Touch ID Authentication, Keychain Sharing wouldn’t work and vice versa. I’m looking for an Apple documentation that would state that, but unable to find it.
I’ve gone through Apple’s SecItem.h page, and a useful info I found states the following about kSecAttrAccessible and kSecAttrSynchronizable: “If both attributes are specified on either OS X or iOS, the value for the kSecAttrAccessible key may only be one whose name does not end with “ThisDeviceOnly", as those cannot sync to another device.” However, I'm not using "ThisDeviceOnly" (I'm currently using kSecAttrAccessibleAlways for testing purposes)
Can you help in pointing out if and where Apple has documented this limitation? That would help me document it for the records, and move on. Thanks.
- (void)addKeychainItemWithIdentifier:(NSString *)identifier andData:(NSData *)data {
CFErrorRef error = NULL;
SecAccessControlRef sacObject;
sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
kSecAttrAccessibleAlways,
kSecAccessControlUserPresence, &error);
if(sacObject == NULL || error != NULL)
{
NSString *msg0 = [NSString stringWithFormat:NSLocalizedString(@"SEC_ITEM_ADD_CAN_CREATE_OBJECT", nil), error];
[self printResultWithMessage:msg0];
return;
}
NSDictionary *attributes = @{
(__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
(__bridge id)kSecValueData: data,
(__bridge id)kSecAttrAccessible:(__bridge id)kSecAttrAccessibleAlways,
(__bridge id)kSecAttrService: identifier,
(__bridge id)kSecAttrSynchronizable:(__bridge id)kCFBooleanTrue,
(__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject
};
dispatch_async(dispatch_get_global_queue( DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
OSStatus status = SecItemAdd((__bridge CFDictionaryRef)attributes, nil);
NSError *statuserror = [NSError errorWithDomain:NSOSStatusErrorDomain code:status userInfo:nil];
[self printResultWithMessage:[self keychainErrorToString:status]];
});
}
620
Tap Settings > Touch ID & Passcode, then enter your passcode. Tap Add a Fingerprint and hold your device as you normally would when touching the Touch ID sensor. Touch the Touch ID sensor with your finger—but don't press—so the device can begin recognizing your fingerprint.
The user can also use Face ID and Touch ID with Apple Pay to make easy and secure purchases in stores, apps, and on the web: Using Face ID in stores: To authorize an in-store payment with Face ID, the user must first confirm intent to pay by double-clicking the side button.
I think I may have found the answer to this
In WWDC 2014 video 711, the following is mentioned at 31:48
ACL Protected Items - No Synchronization, No Back up
Thus Touch ID authentication cannot be used for Keychain Sharing between devices as those items are Device-Only
172
This example project might help, the title is KeychainTouchID: Using Touch ID with Keychain and LocalAuthentication:
https://developer.apple.com/library/ios/samplecode/KeychainTouchID/Introduction/Intro.html
This might be limited to local though, no sharing.
1
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
