(ios) App Access Control: Device passcode fallback

ACINQ / phoenix

Phoenix is a self-custodial Bitcoin wallet using Lightning to send/receive payments.

https://phoenix.acinq.co

Apache License 2.0

619 stars 93 forks source link

(ios) App Access Control: Device passcode fallback #478

Closed robbiehanson closed 7 months ago

robbiehanson commented 7 months ago

Partially addresses issue #441

Phoenix should provide more options for app access control, each with their own trade-offs:

biometrics authentication: the recommended option. It enables fine-grained control on a device that is shared between several users (e.g. a family), reasonably secure, but less private and prone to hardware malfunction

the device's PIN/password: no fine control and probably less secure, but it's robust

Option 2 was missing from iOS, but fixed via this PR.

If the user:

enables biometrics (Face ID / Touch ID)
but does not enable the passcode fallback
and has not backed up their recovery phrase

then we display this warning:

robbiehanson commented 7 months ago

I think we can just remove that warning altogether : users need to backup their seed regardless of the app-control setting. It's true that a broken biometrics hardware can lock the user out if the passcode fallback was disabled, but that's just an edge case among many and we can't handle all of them.

I agree. And that screen already displays a warning icon next to the "Recovery Phrase", if the user hasn't performed a backup.

Done in 880114a470a5b2793721d744479053cbad5fd15e

robbiehanson commented 7 months ago

Is it possible to let the user only use the Passcode option, without having to enable FaceID/TouchID?

I do not believe this is possible. My understanding is that you have to use LAContext to prompt for iOS authentication. And the supported policies only allow you to determine whether-or-not to allow passcode fallback.

robbiehanson commented 7 months ago

Addresses issue #455