Post not yet marked as solved
Click to stop watching this thread.
You have stopped watching this post. Click to start watching again.
contentPostList.repliesup-voted.tooltip
I would like to point out that this Issue hasn't had any answer in 3 years. It is still very valid and necessary for us. Could someone review and revive it?
To be clear: I want to have an ACL for a Secure Enclave slot that is not the device pin but a user chosen password (like kSecAccessControlApplicationPassword) and I want to allow for a biometric shortcut in the same way this works with ACLs that use device pin with biometric shortcut and fallback to pin. To my knowledge, this combination is currently not supported in the SE.
The main motivation is security. We need a secret that is less often used and thus has a lower chance of being observed by a bystander. The device pin is often known by family members of our users. If we allow for a custom secret that is only used during business hours, it most likely is not used at home. Having a biometric shortcut will also reduce the risk of observing the secret and has a side effect of being more convenient for the user. Invalidating the biometric shortcut (like after a restart) should be the same as the existing functionality.