Basically what I'm trying to do is figure out a way to encrypt data using Touch ID.
Sadly I've not found a way to create an encryptionKey with Touch ID, since the LAContext
API only returns a aye/nay response.
I'm implementing different log in methods in an app. The supported log in methods are a password, PIN-code and Touch ID. The user is free to choose whatever log in method he/she wants.
Only the password however, is send to the server which will authenticate the user. As such, only the password is stored in the keychain.
The encryptionKey
, used to first encrypt and then store the password in the keychain, is created using whatever method the user chose as log in method.
If the user chose to use a PIN-code, the encryptionKey
is derived from that PIN-code, the same can be said when the user chose a password as log in method.
I've searched on the internet, but only found what I already feared.
Since iOS only returns a true
or false
from the Secure Enclave, it's impossible to create an encryptionKey
.
I know the keychain is encrypted by itself, but for security reasons (please don't elaborate on this) I need an encrypted password stored in the keychain.
The reason behind storing data encrypted in the keychain is because the keychain can be breached by jailbreaking a device. And since the app I'm working on allows users to view (mostly) corporate sensitive data, I need to take even jailbreaking into consideration.
Your fingerprint data is encrypted, stored on device, and protected with a key available only to the Secure Enclave. Your fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data.
Bookmark this question. Show activity on this post. According to Apple, Touch ID the probability of a fingerprint matching is 1:50000 while the probability of guessing a four digit passcode is 1:10000.
The fingerprint reader on the iPhone 6 can be fooled by the same trick that unlocks the iPhone 5S -- but it didn't have to be that way.
Use the kSecAccessControlTouchIDCurrentSet
or kSecAccessControlTouchIDAny
keychain access control attributes to protect your encryption key in the keychain. Using this API will fail if the user does not have Touch ID enabled (or the device does not support it), and using kSecAccessControlTouchIDCurrentSet
will fail if the user modifies the set of fingerprints. In case of failure, you can then fallback to your normal authentication UI, such as pin code or password entry.
See the WWDC 2014 711 Keychain and Authentication with Touch ID talk and WWDC 2015 706 Security and Your Apps for more information.
As a general note, do not store data in the keychain. You should only store passwords, encryption keys or credentials, and use those to decrypt data stored on the disk.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With