Using kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly

Privacy & Security General
mjharper OP
Created Mar ’24
Replies 1
Boosts 0
Views 454
Participants 2

After a pen test it has been suggested we use kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly for keychain accessibility. It is currently using kSecAttrAccessibleAfterFirstUnlockValue

We only store name, email, sms etc in our keychain but I've been asked to explore how much effort this would be

My initial concern is what happens to users without a passcode? Is there a way to enforce this for users with a passcode but fallback to something else for other users?

Thanks

Replies  1
Boosts  0
Views  454
Participants  2
DTS Engineer OP
Apple
Mar ’24

My preferred source for info on these options are the doc comments <Security/SecItem.h>, which is this case say:

This attribute will not be available on devices without a passcode.
Disabling the device passcode will cause all previously protected
items to be deleted.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Using kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
First post date Last post date
 
 
Q