-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Device Password fallback when Touch-ID devices are unavailable #11410
base: develop
Are you sure you want to change the base?
Device Password fallback when Touch-ID devices are unavailable #11410
Conversation
…ure is enabled in settings and no biometrics are available
translation
Oh neat, didn't even know that was an option. I don't think we need a special setting to toggle it though. Recommend removing that part and just making this part of the default security control options. |
Whit this TouchID/WatchID is still possible when DB gets unlocked while no TouchID hardware is present.
@droidmonkey ok then I'll remove the settings menu entry again. Having this default fallback, that is available all the time, we could also get rid of the isWatchIDAvailable/isTouchIdAvailable checks altogether. Doing this TouchID/WatchID unlock would always be possbile, even when you open the database for the first time with no biometric/apple watch hardware present and open the lid later. |
2c28b5b
to
0e80d00
Compare
e68ee6a
to
324fdd9
Compare
53cc096
to
3893c88
Compare
3893c88
to
f675cd3
Compare
Oh, its probably saver to keep all checks in place and add another one with https://developer.apple.com/documentation/localauthentication/klapolicydeviceownerauthentication, I'll do that later this day |
This reverts commit 0e80d00
With that we can add the "kSecAccessControlBiometryCurrentSet" Flag even though Biometry is unavailable due to closed lid or unpaired keyboard. Adding this flag when TouchID is not enrolled results in an error when trying to save the secret. The kSecAccessControlWatch Flag for apple watch compatibility does not have this limitation. With that we can also offer quick unlock with only apple watch or password
It was not as easy as I thought, the kSecAccessControlBiometryCurrentSet flag is only allowed when TouchID is enrolled, adding the flag while its not enrolled results in an error when trying to save the secret to the keychain. But it is possible to catch the specific "is not enrolled" error, and only skip adding the flag when this one occurs. The kSecAccessControlWatch seems to not have this constraint, but I need to test it a little more, same as my current implementation for TouchID. |
I tested i a little more and it seems to be pretty reliable, the only dangerous path is trying to save the key to the enclave with kSecAccessControlBiometryCurrentSet or kSecAccessControlTouchIDCurrentSet as the saving logic is throwing an error when having no fingers scanned, but that path is covered with the new touchidEnrolled check. With this new logic it is now possible to:
But I dont have an iMac or Mac Mini to test what happens on devices with no integrated TouchID, I tested this constellation in a qemu vm and this case also got handled by the kLAErrorBiometryNotEnrolled error, but I would feel saver if it could get tested with actual imac/mac mini hardware once. I also could get my hands on a magic keyboard on monday to test that aswell at least once. |
Awesome thank you @findus, this will greatly improve usability of quick unlock. Also helps when I finish implementing "remembered" quick unlock. |
…ected flags, might fix quick unlock on a hackintosh
I've set up a Hackintosh yesterday to check what happens on devices with no TouchID present at all, there the "isEnrolled" check does not work because the API returns LAErrorBiometryNotAvailable, which kinda sucks because now this error is used for two states:
To "fix" this I just call setKey a second time without the TouchID/Biometrics flag when the first call fails, that makes it a little more robust. |
I got my hand on an iMac and I tested the behavior if there is no TouchID hardware present, and what happens if you connect a magic keyboard with sensor to it. It kinda behaves like on a Hackintosh, only the error message is different, here "kLAErrorBiometryNotPaired" is returned the first time setKey is called, the 2nd fallback call also enables us to use WatchId/DeviceCode. After you pair the keyboard MacOS guides you through the fingerprint setup process, after that its the same behavior as with a macbook. After you Unpair the keyboard again and delete your Fingerprints, the API returns "kLAErrorBiometryNotEnrolled" instead of "kLAErrorBiometryNotPaired" 🤔. But in general its pretty stable now, I used this build for about a week now and haven't encountered anything weird. |
Awesome and thank you for the comprehensive testing! Will merge this shortly. |
src/quickunlock/TouchID.mm
Outdated
|
||
bool canAuthenticate = [context canEvaluatePolicy:policyCode error:&error]; | ||
[context release]; | ||
//TODO: check if this is the correct error message |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did we satisfy this TODO?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could also get rid of this check entirely now as we call setKey twice in case of an error
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good
… second time when first attempt fails with TouchID flag
Device Password fallback when Touch-ID devices are unavailable
I often use my macbook docked with the lid closed, so I cannot use the fingerprint sensor, and I got rather tired reentering my whole database password every time after unlocking my session.
This change adds the "kSecAccessControlDevicePasscode" flag to the AccessControlFlags, so it is possible to use the device password to unlock the database again.
This feature is disabled by default and can be enabled in the settings menu.Screenshots
poc.mov
Type of change