LAContext not accepting programmatically changed user's password for authentication

I have used functionality of changing user's password programmatically using the OpenDirectory framework. Once the password is updated successfully, can be use this password for Login sessions and authentication wherever required. But the same password is failing authenticate with Local Authentication Framework that is with LAContext and prefers always older password. Even restarting machine won't work.

  • Changing current user's password using below method -

do { let node = try ODNode(session: ODSession.default(), type: ODNodeType(kODNodeTypeLocalNodes)) let user = try node.record(withRecordType: kODRecordTypeUsers, name: NSUserName(), attributes: nil) try user.changePassword(currentPassword, toPassword: newPassword) print("Password changed successfully") } catch var error { print(error) }

  • Once password is updated, then trying to authenticate password with LAContext using,

let context = LAContext() context.evaluatePolicy(.deviceOwnerAuthentication, localizedReason: "AuthenticationMessage".localized()) { success, error in DispatchQueue.main.async { completion(success, error) } print("authentication error = (String(describing: error?.localizedDescription))") }

  • It won't accept the updated password. Any idea how to solve this problem?

Changing passwords via the OD API has always had its limitations. For example, it would not update the password on the file-based keychain. I think this is a similar issue, although I’m not 100% sure of exactly how it connects.

Right now I’m gonna recommend that you file a bug about this. Once you’re done, please post your bug number here and I’ll take another look.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Sure, I will file a bug. For the information I have also updated keychain's password using below code,

        var userKeychain : SecKeychain?
        var err : OSStatus?
        err = SecKeychainOpen(userKeychainPath, &userKeychain)
        err = SecKeychainChangePassword(userKeychain, UInt32(currentPassword.count), currentPassword, UInt32(newPassword.count), newPassword)
        if err != 0 {
            print("Unable to reset keychain with migrated user/pass.")
        } else {
            print("Changed the keychain password")
        }

still it is failing to authenticate with newer password on LAContext.

For those following along at home, Rahul_S13’s bug was FB13812363. It’s been returned as ‘behaves correctly’. I’ll let them summarise the response here.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

LAContext not accepting programmatically changed user's password for authentication
 
 
Q