Is there a way to use Touch ID with the iOS Keychain but not prompt for the user passcode?

Question

I want to store user credentials securely in the iOS Keychain, but I only want the user to be able to use their fingerprint to retrieve the Keychain item. Is there a workflow for calling the Touch ID sensor to retrieve Keychain items with the ability to dismiss the passcode unlock or without falling back to the passcode at all?

I have implemented the methods defined in the WWDC session on Touch ID and Keychain, but I do not want to fall back on the device passcode like they do in their demo. I want the user to sign in traditionally once the fingerprint scan has failed.

Answer 1

@kishikawa-katsumi is right, in iOS 8 there is no way to disable passcode fallback. The kSecAccessControlUserPresence access control flag makes an item accessible after either Touch ID or Passcode authentication succeeds and it even doesn't require Touch ID to be available.

But this has been improved in iOS 9. Two Touch ID-related flags, kSecAccessControlTouchIDAny and kSecAccessControlTouchIDCurrentSet, have been added.

So, you need to use either of these two flags when creating access control object for Keychain item (with SecAccessControlCreateWithFlags function) and assign that object to kSecAttrAccessControl attribute when adding the item with SecItemAdd function.

There is an example from Apple that demonstrates this; see addTouchIDItemAsync method. Also, see this post for an overview of other security-related changes in iOS 9.