Im digging into Apple's Touch ID, more precisely the Local Authenticator. The documentation as of now is pretty sparse. Its mainly just this:
LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = <#String explaining why app needs authentication#>;
if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
localizedReason:myLocalizedReasonString
reply:^(BOOL success, NSError *error) {
if (success) {
// User authenticated successfully, take appropriate action
} else {
// User did not authenticate successfully, look at error and take appropriate action
}
}];
} else {
// Could not evaluate policy; look at authError and present an appropriate message to user
}
as taken from https://developer.apple.com/documentation/localauthentication
The idea of using your fingerprint for authentication is nice. But I can add fingerprints in the device if I know the passcode. And its very easy to get the passcode, like you sit in the train next to ur victim and watch him/her enter the passcode.
I want to use the fingerprint as a way of secure authentication but want to be able to detect if new fingerprints were added since the last time I requested the fingerprint.
Apple is doing this for the AppStore. If you want to authenticate a transaction in the AppStore and have added a new Fingerprint since your last transaction, the AppStore requests your AppleId-Password. This is sane behaviour, because the phone might have been taken by someone else who knows the passcode and added his own fingerprint to buy something expensive.
My Question: Can I detect if a new fingerprint was added since the last time that I used Local Authenticator?
As Keith stated, in iOS 9 it's possible. You should do it like this.
Every time you add or delete a fingerprint, the domain state changes. You need to call
canEvaluatePolicy
forevaluatedPolicyDomainState
to be updated.This is now possible in iOS9. The property evaluatedPolicyDomainState has been added to LAContext.
If the fingerprint database is modified (fingers were added or removed), the data returned by evaluatedPolicyDomainState will change. The nature of the changes cannot be determined but by comparing data of evaluatedPolicyDomainState after different evaluatePolicy calls you can detect that the set of fingerprints has been modified.
Note that this property is set only when evaluatePolicy is called and a succesful Touch ID authentication was performed, or when canEvaluatePolicy succeeds for a biometric policy.
In short; no.
In a bit more detail; the
LocalAuthentication
framework is a tightly-guarded black box. The information you get back from it is very limited. Your interaction with it goes something like this:You have no concept of the actual authentication process (which finger was used, for example). This, of course, is by design. Apple does not want, nor need, to give you access to such information.
I would recommend to store the evaluatedPolicyDomainState value into keychain instead of storing it in NSUserDefault.
You can convert the data value of evaluatedPolicyDomainState into string, which is a 44 character string. Below is the code to convert the evaluatedPolicyDomainState data value into string -
Now if the device owner made any change in Touch ID like adding a new finger Id; then this data value will be changed and you can take necessary steps to handle the change based on your project needs.
I would like to add something,
It's better to store user password etc in keychain. I'm using https://github.com/reidmain/FDKeychain
This is the code in objective-c, to verify if a fingerprint was added or removed: