ios8 TouchID detection if fingerprint was added

2019-03-25 05:25发布

问题:

Im digging into Apple's Touch ID, more precisely the Local Authenticator. The documentation as of now is pretty sparse. Its mainly just this:

LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = <#String explaining why app needs authentication#>;

if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics    error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
              localizedReason:myLocalizedReasonString
                        reply:^(BOOL success, NSError *error) {
        if (success) {
            // User authenticated successfully, take appropriate action
        } else {
            // User did not authenticate successfully, look at error and take appropriate action
        }
    }];
} else {
// Could not evaluate policy; look at authError and present an appropriate message to user
}

as taken from https://developer.apple.com/documentation/localauthentication

The idea of using your fingerprint for authentication is nice. But I can add fingerprints in the device if I know the passcode. And its very easy to get the passcode, like you sit in the train next to ur victim and watch him/her enter the passcode.

I want to use the fingerprint as a way of secure authentication but want to be able to detect if new fingerprints were added since the last time I requested the fingerprint.

Apple is doing this for the AppStore. If you want to authenticate a transaction in the AppStore and have added a new Fingerprint since your last transaction, the AppStore requests your AppleId-Password. This is sane behaviour, because the phone might have been taken by someone else who knows the passcode and added his own fingerprint to buy something expensive.

My Question: Can I detect if a new fingerprint was added since the last time that I used Local Authenticator?

回答1:

In short; no.

In a bit more detail; the LocalAuthentication framework is a tightly-guarded black box. The information you get back from it is very limited. Your interaction with it goes something like this:

  • Ask it if it's able to authenticate for some type of policy (there is only 1 available at time of writing - Biometrics (Touch ID))
  • If it can, ask it to actually do it
  • The system takes over for the actual authentication
  • It lets you know if the authentication was successful or not (if not, it tells you why)

You have no concept of the actual authentication process (which finger was used, for example). This, of course, is by design. Apple does not want, nor need, to give you access to such information.



回答2:

This is now possible in iOS9. The property evaluatedPolicyDomainState has been added to LAContext.

If the fingerprint database is modified (fingers were added or removed), the data returned by evaluatedPolicyDomainState will change. The nature of the changes cannot be determined but by comparing data of evaluatedPolicyDomainState after different evaluatePolicy calls you can detect that the set of fingerprints has been modified.

Note that this property is set only when evaluatePolicy is called and a succesful Touch ID authentication was performed, or when canEvaluatePolicy succeeds for a biometric policy.



回答3:

As Keith stated, in iOS 9 it's possible. You should do it like this.

    let context = LAContext()
    context.canEvaluatePolicy(.DeviceOwnerAuthenticationWithBiometrics, error: nil)

    if let domainState = context.evaluatedPolicyDomainState
        where domainState == oldDomainState  {
        // Enrollment state the same

    } else {
        // Enrollment state changed

    }

Every time you add or delete a fingerprint, the domain state changes. You need to call canEvaluatePolicy for evaluatedPolicyDomainStateto be updated.



回答4:

This is the code in objective-c, to verify if a fingerprint was added or removed:

    - (void)evaluatedPolicyDomainState {
    LAContext *context = [[LAContext alloc] init];
    __block  NSString *message;

    // show the authentication UI with reason string
    [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"Unlock access to locked feature" reply:^(BOOL success, NSError *authenticationError) {

        if (success) {

            // load the last domain state from touch id
            NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];

            NSData *oldDomainState = [defaults objectForKey:@"domainTouchID"];

            NSData *domainState = [context evaluatedPolicyDomainState];

            // check for domain state changes
            if ([oldDomainState isEqual:domainState]) {             
                message = @"nothing change.";
            } else {
                message = @"domain state was changed!";
            }

            // save the domain state that will be loaded next time
            oldDomainState = [context evaluatedPolicyDomainState];
            [defaults setObject:oldDomainState forKey:@"domainTouchID"];
            [defaults synchronize];

        } else {
            message = [NSString stringWithFormat:@"evaluatePolicy: %@", authenticationError.localizedDescription];
        }

        [self printMessage:message inTextView:self.textView];
    }];
}


回答5:

I would recommend to store the evaluatedPolicyDomainState value into keychain instead of storing it in NSUserDefault.

You can convert the data value of evaluatedPolicyDomainState into string, which is a 44 character string. Below is the code to convert the evaluatedPolicyDomainState data value into string -

if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: nil) {
    if let domainState = context.evaluatedPolicyDomainState {
        let bData = domainState.base64EncodedData()
        if let decodedString = String(data: bData, encoding: .utf8) {
            print("Decoded Value: \(decodedString)")
        }
    }
}

Now if the device owner made any change in Touch ID like adding a new finger Id; then this data value will be changed and you can take necessary steps to handle the change based on your project needs.



回答6:

I would like to add something,

-(BOOL)hasFingerPrintChanged
{
   BOOL changed = NO;

   LAContext *context = [[LAContext alloc] init];
   [context canEvaluatePolicy:LAPolicyDeviceOwnerAuthentication error:nil];

   NSData *domainState = [context evaluatedPolicyDomainState];

   // load the last domain state from touch id
   NSUserDefaults *defaults = [NSUserDefaults standardUserDefaults];
   NSData *oldDomainState = [defaults objectForKey:@"domainTouchID"];

        if (oldDomainState)
        {
            // check for domain state changes

            if ([oldDomainState isEqual:domainState])
            {
                NSLog(@"nothing changed.");
            }
            else
            {
                changed = YES;
                NSLog(@"domain state was changed!");

                NSString *message = @"Your Touch ID is invalidated, because you have added or removed finger(s).";

            }

        }

        // save the domain state that will be loaded next time
    [defaults setObject:domainState forKey:@"domainTouchID"];
    [defaults synchronize];


        return changed;
    }

It's better to store user password etc in keychain. I'm using https://github.com/reidmain/FDKeychain