Biometrics error LAErrorNotInteractive in network extension

We're been using LAContext -evaluatePolicy:localizedReason:reply: in our packet tunnel provider extension without problems, but with the release of iOS 13.3.1 we're now getting LAErrorNotInteractive. We are not setting interactionNotAllowed (and I tried forcing it to NO w/no change in behavior).


LAContext *bioConext = [LAContext new];
if ([bioConext canEvaluatePolicy:LAPolicyDeviceOwnerAuthentication error:&err]) {
    [bioConext evaluatePolicy:LAPolicyDeviceOwnerAuthentication localizedReason:@"string" reply:^(BOOL success, NSError * _Nullable error) {
        // ... error is LAErrorNotInteractive here ...
    }];
}

Is there a new restriction on calling this from an extension because of the need to display UI?

Up vote post of ericm Down vote post of ericm
1.5k views
Posted by
ericm
Reply
Add a Comment

Replies

I’m kinda surprised this ever worked. What were you using it for?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

We have a "require biometrics" feature as part of our authentication, which if enabled makes the user use Face/TouchID to connect the VPN. That's in addition to a password and/or cert. Combined with other settings an admin could, say, allow a user to cache their password to make login easier, but only if the FaceID check succeeds.

Posted by
ericm
Up vote reply of ericm Down vote reply of ericm
Add a Comment

Interesting. That seems like a reasonable use case to me but it presents some architectural challenges to iOS. I have a couple of suggestions, neither of which will come as a huge surprise:

  • You should file a bug about the 13.3.1 regression, explaining your use case.

    It wouldn’t surprise me if this comes back as ‘behaves correctly’. If that happens, file an enhancement request for a way for NE providers to use biometrics.

    Please post your bug number, just for the record.

  • As a workaround, you can use a local notification to telling the user that they need to authenticate in your app. When they tap that notification, your app will come to the front and you can authenticate from there.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks Quinn. No surprise there - we already pop notifications for similar user interactions.


I posted bug FB7599661 (don't you miss saying "radar"?)

Posted by
ericm
Up vote reply of ericm Down vote reply of ericm
Add a Comment

I posted bug FB7599661

Thanks.

(don't you miss saying "radar"?)

Not in that way. To me radar has always meant the Radar app. Using radar as a shortcut for Radar bug is a neologism that I’ve never been comfortable with.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Has anything come from this? We're seeing this error as well and can't seem to be able to duplicate it.

Posted by
niclaughter
Up vote reply of niclaughter Down vote reply of niclaughter
Add a Comment

niclaughter wrote:

Has anything come from this?

I recently had cause to discuss this with the LocalAuthentication team in a completely different context (authorization plug-ins). The word from them is that LocalAuthentication is an app framework; it was not designed to be used in other contexts, like app extensions. Given that, it’s not expected to work in a NE provider.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Will create as an answer as formatting seems to be off

    markmc
Add a Comment

Hi @eskimo, I wanted to add to this thread as it seems related, but let me know if you'd like me to open a new thread.

We're seeing this error in our Password Manager app in two scenarios (detailed below) when our Password AutoFill App Extension is launched and requests Biometric Auth (e.g. Face ID). A few of our users have noticed this is very reproducible and the error message is the same as the above, and the context seems roughly similar.

The error is:

Error Domain=com.apple.LocalAuthentication Code=-1004 "Caller is not running in foreground" UserInfo={NSDebugDescription=Caller is not running foreground., NSLocalizedDescription=User interaction required.}

While our Password AutoFill extension works well in normal contexts like Safari and third party apps, the following 2 scenarios reliably reproduce the above error:

  • Opening a Password Protected PDF from the Files app, and when asked to enter the password choosing our App (which then requests Face ID to Unlock your passwords)

  • Using the built in Apple TV Remote functionality (by swiping down from top-right corner of the screen) to try to fill in your password for an App on Apple TV (e.g. Netflix). When asked to enter the Netflix password, choose Strongbox (which then requests Face ID to Unlock your passwords)

Our users have sent some screenshots/captures, but I suspect the above will be enough to get along with. Let me know if you need any more info, and if you could confirm this is the same issue that would be helpful too. Thanks!

Here are some detailed steps provided by users for reproduction:

Apple TV 4K, when I enter a text field on the Apple TV device, it sends a notification to my iPhone so that I can use my iPhone as a keyboard to enter text on the Apple TV fields. The iPhone, in turn, prompts me to use [App Name] for my Netflix (in this instance) password.

Steps:

  1. Open Netflix on Apple TV
  2. When asked to sign-in, select username/email address for Netflix on AppleTV
  3. Click the Password field on Netflix/AppleTV
  4. Notification pops up on iPhone asking to use iPhone keyboard to enter the password for the AppleTV app. iPhone suggests using password in [App Name] for Netflix above keyboard (Apple doesn't show the keyboard part of the iPhone screen in Screen Recorder)
  5. Click [App Name] AutoFill suggestion
  6. FaceID fails with error message
Posted by
markmc
Up vote reply of markmc Down vote reply of markmc
Add a Comment