Open luckyrat opened 2 years ago
What is the status on this. I found this issue via #68 and "followed the tracks" to #73 and #77. As it seems, all of these variants are work in progress.
I would like to know which of these PRs is the desired approach and whats the status on it. So when can we expect this to be fixed? I think this is a security issue with the plugin, as biometric storage is often used with very sensible data. This problem could easily be abused to access data in an app without triggering the biometric prompt.
If none of the proposed solutions is viable in the near future, I would suggest to completely disable the validity support for ios temporarily and always recreate the LAContext until a better solution is found.
Any news on this subject? My app requires the user to pass biometric identification when required. Is this feature going to bring this capability, or if it's already implemented, how should I configure this behavior?
Thanks in advance.
Any update on this ?
I see that there is an open PR #77 with no progress for a few months now, is there a plan to have this resolved in the near future?
Hey @hpoul , hey @luckyrat ! Thank you for your efforts to date towards covering different iOS use cases and behaviours in the context of secure storage. Would be really cool if we could have these changes finalised and published. Is #77 considered a leading branch in this topic? What's still needed to finalise? Do you seek a broader range of hardware configurations to test recent changes against? Is there something uncovered yet?
In #70, @hpoul and I have discussed some of the problems with the current behaviour on iOS and I have a potential solution in PR #73 which I have found improves the situation for an iPhone 6 (TouchId) with iOS 12.
I understand that since a lot of the code is shared with macOS, similar issues and solutions will apply to that platform too.
Since it is so difficult to evaluate changes to iOS behaviour without an impossible array of expensive devices, it would be great if anyone else with access to iOS devices could try out the proposed solution in #73 and let us know how it behaves. We'd be particularly interested in anyone who can test newer iOS versions and/or FaceId.
@hpoul can chime in with any additional thoughts but as a starting point, I think this is the current situation:
We create an LAContext the first time authentication is required after storage initialisation (e.g. a read or write request) and this persists for the lifetime of the app.
Once the LAContext has been authenticated once, it remains authenticated "indefinitely" (actually that's the undocumented 10 minutes I've previously mentioned in #70).
If
authenticationValidityDurationSeconds
is > 0 and we are attempting a write operation we apply this as atouchIDAuthenticationAllowableReuseDuration
setting to the context.If the context has already been authenticated (e.g. via a previous read operation) this has no effect.
If this
touchIDAuthenticationAllowableReuseDuration
grace period is set before the first time the context needs to authenticate, the context will behave in a way that is somewhat poorly documented across disparate Apple documentation and 3rd party discussions. My best understanding of all of that is that this grace period starts only when unlocking the device with Touch ID (and maybe FaceID); a successful keychain retrieval authentication will not restart the grace period.So, the
touchIDAuthenticationAllowableReuseDuration
only has an effect if the first authentication attempt is within that number of seconds of the user unlocking their phone; all subsequent authentication requests will then automatically succeed (for 10 minutes).If the user takes longer than
touchIDAuthenticationAllowableReuseDuration
seconds before the first authentication request is made (or if they have configuredtouchIDAuthenticationAllowableReuseDuration
to be <= 0), they will be prompted to authenticate at that point, and then all subsequent authentication requests will automatically succeed.My tests on the current plugin version and my PR leave me pretty confident that the above is accurate with regard to TouchId but less so about whether FaceId behaviour differs.