Reputation: 1680
Is it OK to use device passcode to authenticate user to an iOS app?
I'm adding user authentication support to my app. The only requirement is that the user should be the owner of the device (the app doesn't access remote service and doesn't need to access keys in keychain).
I have read LocalAuthentication framework docs and done experiments. I know it's technically feasible to call LocalAuthentication API to authenticate user using touch/face id first and fall back to asking user to input device passcode if that fails.
However, among all the iOS apps I have used, I never see one that authenticates user like that (I mean, using device passcode). When I enable touch/face id authentication in those apps, all of them asked me to set a shorter and almost never used application-specific passcode first, which in my opinion is not only inconvenient but also insecure. I wonder why they don't just use device passcode? Is there a policy in Apple Store that doesn't allow this? Will my app be rejected for doing this? Thanks for any explanation.
UPDATE:
According to this article, using keychain is more secure than using LocalAuthentication because the former is a system level component and the latter is an application layer component. However, the article suggested using device passcode, instead of application-specific passcode, when accessing items in keychain.
It’s critical that developers set up access control on the keychain so that when users attempt to retrieve a secure item, they must authenticate with the device passcode (and therefore, Face ID when enabled).
Upvotes: 1
Views: 986
Answers (1)
Reputation: 1680
Now that I have released my own app in App Store, I think I can give a definitive answer to my question. I actually asked two questions:
- Is it OK to use device passcode to authenticate user to an iOS app?
A: Yes. I did this in my app and the app was accepted by App Store.
- Why do most, if not all, apps introduce app specific passcode?
A: I'm not 100% sure about this. I think some apps do this because they save user credentials in keychain and wants to protect those data with app specific key code. For other apps, however, I suspect they don't use app specific code for anything.
Upvotes: 2
Related Questions
- Is there a way to use Touch ID with the iOS Keychain but not prompt for the user passcode?
- Is it possible to authenticate using only the passcode, even device has touch id capability in ios, swift
- Secure keys in iOS App scenario, is it safe?
- How safe it is to store user credentials inside keychain in order to login with touchid?
- iOS Local authentication fallback to passcode for older devices?
- Keychain unlock inside app, is this approach safe?
- Local Authentication on device with Passcode only, not TouchID
- Use Keychain To Store Device Identifier
- Is it a good idea to store device identifier in keychain for iOS app
- iOS app - advanced login screen