felix-barz-brickmakers
commented
1 year ago What is the status on this. I found this issue via #68 and "followed the tracks" to #73 and #77. As it seems, all of these variants are work in progress.
I would like to know which of these PRs is the desired approach and whats the status on it. So when can we expect this to be fixed? I think this is a security issue with the plugin, as biometric storage is often used with very sensible data. This problem could easily be abused to access data in an app without triggering the biometric prompt.
If none of the proposed solutions is viable in the near future, I would suggest to completely disable the validity support for ios temporarily and always recreate the LAContext until a better solution is found.
ThePrincelle
Abdulaziz4
annawidera
In #70, @hpoul and I have discussed some of the problems with the current behaviour on iOS and I have a potential solution in PR #73 which I have found improves the situation for an iPhone 6 (TouchId) with iOS 12.
I understand that since a lot of the code is shared with macOS, similar issues and solutions will apply to that platform too.
Since it is so difficult to evaluate changes to iOS behaviour without an impossible array of expensive devices, it would be great if anyone else with access to iOS devices could try out the proposed solution in #73 and let us know how it behaves. We'd be particularly interested in anyone who can test newer iOS versions and/or FaceId.
@hpoul can chime in with any additional thoughts but as a starting point, I think this is the current situation:
We create an LAContext the first time authentication is required after storage initialisation (e.g. a read or write request) and this persists for the lifetime of the app.
Once the LAContext has been authenticated once, it remains authenticated "indefinitely" (actually that's the undocumented 10 minutes I've previously mentioned in #70).
If
authenticationValidityDurationSecondsis > 0 and we are attempting a write operation we apply this as atouchIDAuthenticationAllowableReuseDurationsetting to the context.If the context has already been authenticated (e.g. via a previous read operation) this has no effect.
If this
touchIDAuthenticationAllowableReuseDurationgrace period is set before the first time the context needs to authenticate, the context will behave in a way that is somewhat poorly documented across disparate Apple documentation and 3rd party discussions. My best understanding of all of that is that this grace period starts only when unlocking the device with Touch ID (and maybe FaceID); a successful keychain retrieval authentication will not restart the grace period.So, the
touchIDAuthenticationAllowableReuseDurationonly has an effect if the first authentication attempt is within that number of seconds of the user unlocking their phone; all subsequent authentication requests will then automatically succeed (for 10 minutes).If the user takes longer than
touchIDAuthenticationAllowableReuseDurationseconds before the first authentication request is made (or if they have configuredtouchIDAuthenticationAllowableReuseDurationto be <= 0), they will be prompted to authenticate at that point, and then all subsequent authentication requests will automatically succeed.My tests on the current plugin version and my PR leave me pretty confident that the above is accurate with regard to TouchId but less so about whether FaceId behaviour differs.