How to ignore iOS device PIN Prompt after 3 incorrect touch/face id recognitions

问题

Our app saves and retrieves items from Keychain for authentication using biometrics.

On the 3rd incorrect attempt, I'm getting redirected onto device PIN code. Instead would like to prompt a message saying 3 incorrect tries.

Code for retrieving the items

OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)(query), &dataTypeRef);

Saw the expected behaviour with Bank of America app, where it shows a message that user need to login manually after 3 incorrect tries

回答1:

I assume you're using the kSecAccessControlUserPresence option in your SecAccessControlCreateWithFlags item that is part of your query to add items to the keychain. Somewhere you have something that looks like this:

SecAccessControlRef access = SecAccessControlCreateWithFlags(nil,
                        kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                        kSecAccessControlUserPresence,
                        nil);

The documentation for kSecAccessControlUserPresence option states:

Constraint to access an item with either biometry or passcode.

It will fall back to a passcode as needed. To limit this to only use biometrics, you should use the kSecAccessControlBiometryAny or kSecAccessControlBiometryCurrentSet flags. Both require either TouchID or FaceID to unlock the item. kSecAccessControlBiometryAny requires any matching biometrics, even if they are changed after the keychain item is set. kSecAccessControlBiometryCurrentSet causes the item to be invalidated if the user adds or removes fingers from TouchID or reenrolls for FaceID.

You should change the above access control code to either this for kSecAccessControlBiometryAny:

SecAccessControlRef access = SecAccessControlCreateWithFlags(nil,
                        kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                        kSecAccessControlBiometryAny,
                        nil);

or this for kSecAccessControlBiometryCurrentSet:

SecAccessControlRef access = SecAccessControlCreateWithFlags(nil,
                        kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                        kSecAccessControlBiometryCurrentSet,
                        nil);

Apple documentation on the SecAccessControlCreateFlags: https://developer.apple.com/documentation/security/secaccesscontrolcreateflags?changes=_2&language=objc

来源：https://stackoverflow.com/questions/50820505/how-to-ignore-ios-device-pin-prompt-after-3-incorrect-touch-face-id-recognitions