Keychain ACLs: Relationship between .userPresence and .devicePasscode

Suppose there is a key in the keychain that is protected by an ACL which specifies .userPresence as its access control - is it possible to prevent the user from being prompted to authenticate with biometrics and to force authentication via the device passcode instead?

Answered by DTS Engineer in 803537022

Thanks for the clarification.

Sadly, I don’t see any way to achieve this goal.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hmmm, I suspect I’m missing something here. If you only want the user to be able to use the device passcode, why create the item with .userPresence? Instead, just create the item with .devicePasscode.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Sorry Quinn, I'll try to be more specific: We want the key to be usable with either biometry or device passcode - hence .userPresence - but we want to be able to decide whether to allow biometry in some cases or not. With .userPresence this does not seem to be possible out of the box since this always seems to prefer biometry if available.

We tried passing a LAContext which has been used to access a (different) keychain item protected with .devicePasscode, but to no avail.

Thanks for the clarification.

Sadly, I don’t see any way to achieve this goal.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Keychain ACLs: Relationship between .userPresence and .devicePasscode
 
 
Q