Closed netgfx closed 3 years ago
The private key is generated using a library called EllipticCurveKeyPair. This key itself is stored in Secure Enclave. Although this library and the KeyChain API can be used to tie biometrics to it, WebAuthnKit does not tie biometrics to Secure Enclave. The key itself is stored in Secure Enclave, but no biometric authentication is tied to it, only the "userPresence" setting.
https://github.com/lyokato/WebAuthnKit-iOS/blob/e6fca6acc423adaa27f1916341ae564468f9ddf2/WebAuthnKit/Sources/Authenticator/ Internal/KeySupport.swift#L56
In WebAuthnKit, FaceID and TouchID can be used for authentication, but they are not tied to the Secure Enclave key, but are independent authentication using Swift's API (LAContext's evaluatePolicy method)
In other words, it verifies the owner of the device at the time of authentication, but it does not check whether the biometric information is the same as the one used to create the key.
I decided to implement it that way because of the range of supported iOS versions at the time I created this library more than two years ago, and how it fits into the WebAuthn protocol flow.
After looking at the code these were my assessments as well, thanks for taking the time to explain the structure.
One more question if you please. Is it possible to extract the authentication mechanism and have it separate from the UI. I'm asking this because I would like to use the native iOS code for authentication and sending/receiving challenge in Flutter.
The structure is designed in such a way that the authentication flow is the parent and the UI components are the children, so it would be difficult to extract only the components of the authentication flow.
Can we secure the pub/priv keys with biometric authentication when creating them on secure enclave (if they are created and stored there directly)