It is encrypted with a private key stored in Secure Enclave • Biometry data is used by Secure Enclave only • It can’t be accessed by OS or any application
storing passwords, tokens, not for files • Each item is protected by passcode/biometry and device secret • Keychain items are available when user authenticates to the device
in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed.
in Keychain. • When the protected action is triggered, Keychain should be unlocked with Touch ID to get the secret. • BE should enforce the client to include that secret when the protected action is performed. WHAT ELSE CAN GO WRONG?
Use any of the registered fingerprints • kSecAccessControlTouchIDCurrentSet – Use the current set of fingerprints when data saved to keychain. If current set changes, the TouchID evaluation fails.
unlock you device is 1 in 50 000 ★ For Face ID it is 1 in 1 000 000 ★ To compare: 4 digit passcode has 1 in 10 000 chance while 6 digit passcode has 1 in 1 000 000 https://images.apple.com/business/docs/FaceID_Security_Guide.pdf
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local- Authentication.md iOS Security Guide https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf WWDC 14 – Keychain and Authentication with Touch ID https://devstreaming-cdn.apple.com/videos/wwdc/ 2014/711xx6j5wzufu78/711/711_keychain_and_authentication_with_touch_id.pdf David Lindner – Don’t Touch Me That Way https://nvisium.com/blog/2016/06/22/dont-touch-me-that-way.html