strongbox-mark
commented
3 years ago Thanks for the report, I've heard another one recently like it about Sleep Mode breaking things too, wonder if it's related. I'll try to investigate shortly.
Open thepaulcooper opened 3 years ago
strongbox-mark
commented
3 years ago Thanks for the report, I've heard another one recently like it about Sleep Mode breaking things too, wonder if it's related. I'll try to investigate shortly.
strongbox-mark
commented
3 years ago HI @thepaulcooper - I've been trying to reproduce this, and from another report I believe it's actually down to using "Sleep Mode".
Do you use "Sleep Mode", timed to come on a certain time in the evening perhaps, alongside Do Not Disturb mode.
I can reproduce the issue with Sleep Mode for sure.
Edit: Probably related: https://www.reddit.com/r/MacOSBeta/comments/iciyy3/mac_will_not_automatically_unlock_when_apple/
thepaulcooper
commented
3 years ago I have Do Not Disturb on my iPhone from 22:00 to 07:00 and it is mirrored to my Watch. I have Sleep monitoring set in the Watch app but the time for this is set in the Health app on the iPhone and I have it set from 22:30 to 06:30. Convoluted !
But in answer to your question, I get the dialog box loop after 22:00, so from the Do Not Disturb time setting. But there may be an interaction between Do Not Disturb and Sleep, especially as Sleep triggers a "wind down' alert from (I think) 22:00.
strongbox-mark
commented
3 years ago OK, strange. Thanks for the extra info. I don't think there's much Strongbox can do here, the system says that Watch Unlock is available (but it's not) and then when Strongbox tries to use it, it fails.
thepaulcooper
commented
3 years ago Ok thanks. Is it possible for you to break the loop, ie go straight to the password entry after dismissing the error message? If the watch fails then don't test for Watch Unlock again until next time the database needs to be opened.
strongbox-mark
commented
3 years ago HI @thepaulcooper - I don't get this loop I'm afraid. I do get the prompt and the immediate fail/error message, but I click ok on that prompt and I'm back where I started, the lock screen where I can manually unlock.
Could you make a screen recording of the issue and send to support@strongboxsafe.com?
ml632
commented
3 years ago To clarify this strange behavior a bit, these are my observations on this bug:
Apple Watch unlock fails whenever the watch is in
but not in Do Not Disturb mode. Although Wind Down Mode looks like Do Not Disturb Mode, Apple actually turns on Sleep Mode with the beginning of the wind down phase usually set to 30 minutes prior to bedtime... In Do Not Disturb Mode, everything works as expected!
Once Apple Watch unlock fails, an error message is displayed. Waiting a few seconds and then acknowledging the error dialogue starts this procedure over again resulting in an endless loop. Only acknowledging the error dialog fast enough (within a second or so), exits this loop and you get to the password dialogue! I have no idea why there should be a timing issue involved here, but for me it's definitely reproducible. The title of this issue might thus be renamed to "When Apple Watch is in Sleep Mode, Strongbox on macOS may get stuck in a dialogue loop". @strongbox-mark: If you still need a screen recording, drop me a note.
Whenever this happens in a macOS dialogue, it also tries to invoke Apple Watch unlock (given my system settings). But in contrast to Strongbox, it fails gracefully and reverts to a dialogue asking for my account password. So Apple's own code seems to handle a failed watch unlock somehow explicitly. I assume that canEvaluatePolicy does not consider Sleep Mode/Wind Down Mode to decide whether an Apple Watch is available or not. Nevertheless, evaluatePolicy fails with an error with Sleep Mode/Wind Down Mode activated and probably indicates this through LAError.Code.watchNotAvailable. From what I learned from glancing at the code, Strongbox does not check for this specific error code. If I'm right: Might checking for this error code here and thus handling it properly be a way to fix this behavior?
Having learned how macOS handles Local Authentication, I'd like to see Strongbox offering an option for policy deviceOwnerAuthentication, maybe by offering the user a drop-down list of available policies for selection instead of the current checkboxes for Touch ID and Apple Watch. Doing so would allow me to use the secure enclave even if biometrics or a Watch are not available. And it would automatically "inherit" system settings with respect to which authentication methods are allowed when deviceOwnerAuthentication is selected. :smile:
Hope this helps!
strongbox-mark
commented
3 years ago Thanks @ml632 - Interesting analysis. As you can see from the code you've referenced if the error code returned from the BiometricHelper is not recognised it will be messaged as an Alert to you, so you should be able to see the error that occurs when your watch is in this state? Is that the case? Do you see an error, if so what is it?
As to your suggestion I'm afraid I'm not inclined in this direction. The Watch/Touch ID settings are intuitive, and there's a plan to add PIN code as a convenience method (like on iOS) in the coming months too. The only thing your suggestion would add is allowing a user to use their logon/system password as a convenience short for their master password which I don't believe brings much convenience and I think would probably be confusing at best in practice.
ml632
commented
3 years ago Thanks @ml632 - Interesting analysis. As you can see from the code you've referenced if the error code returned from the BiometricHelper is not recognised it will be messaged as an Alert to you, so you should be able to see the error that occurs when your watch is in this state? Is that the case? Do you see an error, if so what is it?
That is the case: When my watch is in either Sleep Mode or in Wind Down Mode, Strongbox' authentication fails with an alert "Unknown error. AppleWatch authentication failed" (see attached screenshot). In contrast, QuickType AutoFill fails too, but does not display any alert!
thepaulcooper
commented
3 years ago Thanks @ml632 for your further analysis and clarification of my initial posting. I agree with your description as I was initially unaware of the different modes relating to do-not-disturb, sleep and wind-down.
ml632
commented
2 years ago Any news on this issue or plans whether or when to fix this? The issue still exists with Strongbox 1.16.9 on macOS 12.1. As a non-optimal workaround, I currently have the database-specific setting to automatically prompt for Touch ID deactivated.
strongbox-mark
commented
2 years ago Hi @ml632 - I'm afraid there's been no progress on this. We'd definitely like to, but it might be one we have to escalate to Apple as it just seems like a Watch state bug, the API just returns Authentication failed after the watch has gone to sleep, I'm not sure there's anything Strongbox can do here... Will try to find out if that is the case and then raise with Apple.
Do you see similar behaviour in any other App, or do you use Watch authentication with any other App?
ml632
commented
2 years ago I agree that the API is not handling this situation in a straightforward way and I am curious what Apple might have to say...
I do not use Watch authentication with any other third-party app besides Strongbox, but both with Apples user login screen and system settings app. The behavior there is as follows:
Hope this helps to clarify the situation a little bit further.
strongbox-mark
commented
2 years ago Thanks @ml632 - I will report this to Apple, unfortunately they aren't great at responding, so I might try the dev forums too. Fingers crossed they can fix this or provide a work around.
strongbox-mark
commented
2 years ago @ml632 - Above you mention that there is a dialog loop, is that still the case? Or do you just see the error message once? Could you capture a screen recording of the issue? Thanks.
ml632
commented
2 years ago Using Strongbox 1.16.9 on macOS 12.2 with Wind Down Mode active, I just see the error message once. I cannot reproduce the dialog loop mentioned above any longer, the timing issue seems to be gone. A screen recording is attached. Right between the first and second pop-up window, the watch vibrates and shortly displays the unlock screen, but then immediately returns to its default watch face.
strongbox-mark
commented
2 years ago I believe the loop is caused by the checkbox "Automatically Prompt for ..." - if you check that you'll see the annoying loop... Thanks. I've raised this with Apple, we'll see what they say.
ml632
commented
2 years ago Confirmed, you're right: Activating "Automatically Prompt for ..." results in a dialog loop again.
ThomasWaldmann
commented
1 year ago This still happens, I just had it on current watchOS and current macOS 12.
Ways to get out of the loop:
To avoid the loop:
This may be a watchOS bug but I have observed the following on my MacBook (Big Sur 11.2).
With Do Not Disturb scheduled to start at a certain time each evening, if I then try to open a database when Do Not Disturb is active:
The reason I say it may be a watchOS bug is that this dialogue loop is not repeatable by manually switching off/on Do Not Disturb. It only (and repeatedly every evening) causes the dialogue loop after the Do Not Disturb scheduled start time. (NB the schedule is set on my iPhone and my Apple Watch is set to mirror the iPhone setting.)