I assume you're using the kSecAccessControlUserPresence option in your SecAccessControlCreateWithFlags item that is part of your query to add items to the keychain. Somewhere you have something that looks like this:

SecAccessControlRef access = SecAccessControlCreateWithFlags(nil,
                        kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                        kSecAccessControlUserPresence,
                        nil);

The documentation for kSecAccessControlUserPresence option states:

Constraint to access an item with either biometry or passcode.

It will fall back to a passcode as needed. To limit this to only use biometrics, you should use the kSecAccessControlBiometryAny or kSecAccessControlBiometryCurrentSet flags. Both require either TouchID or FaceID to unlock the item. kSecAccessControlBiometryAny requires any matching biometrics, even if they are changed after the keychain item is set. kSecAccessControlBiometryCurrentSet causes the item to be invalidated if the user adds or removes fingers from TouchID or reenrolls for FaceID.

You should change the above access control code to either this for kSecAccessControlBiometryAny:

SecAccessControlRef access = SecAccessControlCreateWithFlags(nil,
                        kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                        kSecAccessControlBiometryAny,
                        nil);

or this for kSecAccessControlBiometryCurrentSet:

SecAccessControlRef access = SecAccessControlCreateWithFlags(nil,
                        kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                        kSecAccessControlBiometryCurrentSet,
                        nil);

Apple documentation on the SecAccessControlCreateFlags: https://developer.apple.com/documentation/security/secaccesscontrolcreateflags?changes=_2&language=objc