![Page 1: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/1.jpg)
© 2014 Apple Inc. All rights reserved. Redistribution or public display not permitted without written permission from Apple.
#WWDC14
Keychain and Authentication with Touch IDLearn how you can integrate Touch ID
Core OS
Session 711 Wade Benson Core OS Security Engineering
!
Libor Sykora Core OS Security Engineering
![Page 2: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/2.jpg)
What You’ll Learn
![Page 3: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/3.jpg)
What You’ll Learn
Store user secrets securely (passwords, keys, …)
![Page 4: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/4.jpg)
What You’ll Learn
Store user secrets securely (passwords, keys, …)
New Keychain Data Protection Class
![Page 5: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/5.jpg)
What You’ll Learn
Store user secrets securely (passwords, keys, …)
New Keychain Data Protection Class
New Access Control List (ACLs)
![Page 6: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/6.jpg)
What You’ll Learn
Store user secrets securely (passwords, keys, …)
New Keychain Data Protection Class
New Access Control List (ACLs)
Touch ID
![Page 7: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/7.jpg)
Keychain Features
![Page 8: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/8.jpg)
Keychain Features
A very specialized database
![Page 9: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/9.jpg)
Keychain Features
A very specialized database
Protected data (payload)
![Page 10: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/10.jpg)
Keychain Features
A very specialized database
Protected data (payload)
Keychain attributes
![Page 11: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/11.jpg)
Keychain Features
A very specialized database
Protected data (payload)
Keychain attributes
Efficient search by attributes
![Page 12: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/12.jpg)
Keychain Features
A very specialized database
Protected data (payload)
Keychain attributes
Efficient search by attributes
Optimized for user secrets
![Page 13: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/13.jpg)
Why the Keychain?
![Page 14: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/14.jpg)
Why the Keychain?
Protected with the user passcode
![Page 15: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/15.jpg)
Why the Keychain?
Protected with the user passcode
Protected with the device secret
![Page 16: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/16.jpg)
Why the Keychain?
Protected with the user passcode
Protected with the device secret
Protect secrets at rest
![Page 17: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/17.jpg)
Why the Keychain?
Protected with the user passcode
Protected with the device secret
Protect secrets at rest
Encrypted backup
![Page 18: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/18.jpg)
Why the Keychain?
Protected with the user passcode
Protected with the device secret
Protect secrets at rest
Encrypted backup
Access control
![Page 19: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/19.jpg)
Why the Keychain?
Protected with the user passcode
Protected with the device secret
Protect secrets at rest
Encrypted backup
Access control
Keychain sync
![Page 20: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/20.jpg)
Keychain Interactions
Your Application
![Page 21: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/21.jpg)
Keychain Interactions
Security.framework
Your Application
![Page 22: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/22.jpg)
Keychain Interactions
SecItem APIs
Security.framework
Your Application
![Page 23: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/23.jpg)
Keychain Interactions
SecItem APIs
Security.framework
Your Application
securityd
Keychain
![Page 24: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/24.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd
Keychain
![Page 25: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/25.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
![Page 26: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/26.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
Attributes
![Page 27: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/27.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
Attributes
![Page 28: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/28.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
Attributes
![Page 29: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/29.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
Encrypted
![Page 30: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/30.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
Encrypted
![Page 31: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/31.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
Decrypted
![Page 32: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/32.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
Decrypted
![Page 33: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/33.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
Secret
![Page 34: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/34.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
Secret
![Page 35: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/35.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
![Page 36: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/36.jpg)
Keychain Interactions
Secure enclave
SecItem APIs
Security.framework
Your Application
securityd Device Secrets
Passcode SecretsKeychain
![Page 37: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/37.jpg)
The Keychain in a NutshellItem creation
NSData* secret = [@"top secret" dataWithEncoding:NSUTF8StringEncoding]; NSDictionary* attributes = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecValueData: secret, }; OSStatus status = SecItemAdd((CFDictionaryRef) attributes, NULL);
!
Cannot create duplicate items
![Page 38: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/38.jpg)
The Keychain in a NutshellItem creation
NSData* secret = [@"top secret" dataWithEncoding:NSUTF8StringEncoding]; NSDictionary* attributes = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecValueData: secret, }; OSStatus status = SecItemAdd((CFDictionaryRef) attributes, NULL);
!
Cannot create duplicate items
![Page 39: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/39.jpg)
The Keychain in a NutshellItem creation
NSData* secret = [@"top secret" dataWithEncoding:NSUTF8StringEncoding]; NSDictionary* attributes = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecValueData: secret, }; OSStatus status = SecItemAdd((CFDictionaryRef) attributes, NULL);
!
Cannot create duplicate items
![Page 40: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/40.jpg)
The Keychain in a NutshellItem creation
NSData* secret = [@"top secret" dataWithEncoding:NSUTF8StringEncoding]; NSDictionary* attributes = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecValueData: secret, }; OSStatus status = SecItemAdd((CFDictionaryRef) attributes, NULL);
!
Cannot create duplicate items
![Page 41: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/41.jpg)
The Keychain in a NutshellItem lookup
NSDictionary* query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecReturnData: @YES, }; NSData *data = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)&data);
![Page 42: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/42.jpg)
The Keychain in a NutshellItem lookup
NSDictionary* query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecReturnData: @YES, }; NSData *data = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)&data);
![Page 43: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/43.jpg)
The Keychain in a NutshellItem lookup
NSDictionary* query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecReturnData: @YES, }; NSData *data = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, (CFTypeRef*)&data);
![Page 44: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/44.jpg)
The Keychain in a NutshellItem Update/Delete
NSDictionary* query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", }; NSDictionary* changes = @{ ... }; OSStatus status = SecItemUpdate((CFDictionaryRef)query, (CFDictionaryRef)changes); OSStatus status = SecItemDelete((CFDictionaryRef)query);
!
![Page 45: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/45.jpg)
The Keychain in a NutshellItem Update/Delete
NSDictionary* query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", }; NSDictionary* changes = @{ ... }; OSStatus status = SecItemUpdate((CFDictionaryRef)query, (CFDictionaryRef)changes); OSStatus status = SecItemDelete((CFDictionaryRef)query);
!
![Page 46: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/46.jpg)
The Keychain in a NutshellItem Update/Delete
NSDictionary* query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", }; NSDictionary* changes = @{ ... }; OSStatus status = SecItemUpdate((CFDictionaryRef)query, (CFDictionaryRef)changes); OSStatus status = SecItemDelete((CFDictionaryRef)query);
![Page 47: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/47.jpg)
The Keychain in a NutshellItem Update/Delete
NSDictionary* query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", }; NSDictionary* changes = @{ ... }; OSStatus status = SecItemUpdate((CFDictionaryRef)query, (CFDictionaryRef)changes); OSStatus status = SecItemDelete((CFDictionaryRef)query);
!
Use Update to modify items, not Delete and Add
![Page 48: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/48.jpg)
Keychain Workflow(Pseudo code)
![Page 49: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/49.jpg)
Keychain Workflow(Pseudo code)
NSData* password = nil; if (SecItemCopyMatching(..., &password) == noErr) { if (password works) { // great!
![Page 50: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/50.jpg)
Keychain Workflow(Pseudo code)
NSData* password = nil; if (SecItemCopyMatching(..., &password) == noErr) { if (password works) { // great!
} else {
password = get from user; if (password works) {
SecItemAdd(...); // save it for next time
}
}
![Page 51: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/51.jpg)
Keychain Workflow(Pseudo code)
NSData* password = nil; if (SecItemCopyMatching(..., &password) == noErr) { if (password works) { // great!
} else {
password = get from user; if (password works) {
SecItemAdd(...); // save it for next time
}
}
} else { password = get a better one; if (that password worked better) {
SecItemUpdate(...); } }
![Page 52: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/52.jpg)
Handling Retrieved Secrets
Use and purge
Do not keep secrets in memory
Do not save or send
![Page 53: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/53.jpg)
Access Control Roadmap
![Page 54: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/54.jpg)
Access Control Roadmap
OS X
Application kSecAttrAccess
![Page 55: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/55.jpg)
Access Control Roadmap
OS X iOS
Application kSecAttrAccess
Entitlements kSecAttrAccessGroup
![Page 56: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/56.jpg)
Access Control Roadmap
OS X iOS
Application kSecAttrAccess
Entitlements kSecAttrAccessGroup
When kSecAttrAccessible
![Page 57: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/57.jpg)
Access Control Roadmap
OS X iOS
Application kSecAttrAccess
Entitlements kSecAttrAccessGroup
When kSecAttrAccessible
Authentication kSecAttrAccessControl
![Page 58: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/58.jpg)
OS X iOS OS X kSecAttrSynchronizable
Application kSecAttrAccess
Entitlements kSecAttrAccessGroup kSecAttrAccessGroup
When kSecAttrAccessible kSecAttrAccessible
Authentication kSecAttrAccessControl kSecAttrAccessControl
Access Control Roadmap
![Page 59: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/59.jpg)
OS X iOS OS X kSecAttrSynchronizable
Application kSecAttrAccess
Entitlements kSecAttrAccessGroup kSecAttrAccessGroup
When kSecAttrAccessible kSecAttrAccessible
Authentication kSecAttrAccessControl kSecAttrAccessControl
Access Control Roadmap
![Page 60: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/60.jpg)
Keychain Item Access
(id)kSecAttrAccessible:
![Page 61: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/61.jpg)
Keychain Item Access
(id)kSecAttrAccessible:kSecAttrAccessibleWhenUnlocked
![Page 62: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/62.jpg)
Keychain Item Access
(id)kSecAttrAccessible:kSecAttrAccessibleWhenUnlockedkSecAttrAccessibleAfterFirstUnlock
![Page 63: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/63.jpg)
Keychain Item Access
(id)kSecAttrAccessible: kSecAttrAccessibleWhenUnlocked kSecAttrAccessibleAfterFirstUnlock kSecAttrAccessibleWhenUnlockedThisDeviceOnly kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
![Page 64: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/64.jpg)
Passcode Set?
(id)kSecAttrAccessible: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
![Page 65: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/65.jpg)
Passcode Set?
(id)kSecAttrAccessible: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
Available if a passcode set
![Page 66: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/66.jpg)
Passcode Set?
(id)kSecAttrAccessible: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
Available if a passcode set
Removing the device passcode
![Page 67: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/67.jpg)
Passcode Set?
(id)kSecAttrAccessible: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
Available if a passcode set
Removing the device passcode
Will not sync
![Page 68: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/68.jpg)
Passcode Set?
(id)kSecAttrAccessible: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
Available if a passcode set
Removing the device passcode
Will not sync
Not backed up
![Page 69: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/69.jpg)
Keychain ACLs and Touch ID
Libor Sykora Core OS Security Engineering
![Page 70: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/70.jpg)
Introduction Keychain ACLs and Touch ID
![Page 71: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/71.jpg)
Introduction Keychain ACLs and Touch ID
Item Access Control Lists (ACLs) • Accessibility
• Authentication
![Page 72: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/72.jpg)
Keychain Item
Attributes !!!!
Secret
Accessibility
Introduction Keychain ACLs and Touch ID
Item Access Control Lists (ACLs) • Accessibility
• Authentication
![Page 73: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/73.jpg)
Keychain Item
Attributes !!!!
Secret
Accessibility
Introduction Keychain ACLs and Touch ID
Item Access Control Lists (ACLs) • Accessibility
• Authentication
Authentication
![Page 74: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/74.jpg)
Keychain Item
Attributes !!!!
Secret
Accessibility
Introduction Keychain ACLs and Touch ID
Item Access Control Lists (ACLs) • Accessibility
• Authentication
Authentication
ACL
![Page 75: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/75.jpg)
Keychain Item
Attributes !!!!
Secret
Accessibility
Introduction Keychain ACLs and Touch ID
Item Access Control Lists (ACLs) • Accessibility
• Authentication
Authentication with Touch ID and passcode
Authentication
ACL
![Page 76: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/76.jpg)
![Page 77: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/77.jpg)
Keychain ACL
New API for ACLs
![Page 78: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/78.jpg)
Keychain ACL
New API for ACLs• (id)kSecAttrAccessControl:
![Page 79: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/79.jpg)
Keychain ACL
New API for ACLs• (id)kSecAttrAccessControl:
- SecAccessControlRef—ACL
![Page 80: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/80.jpg)
Keychain ACL
New API for ACLs• (id)kSecAttrAccessControl:
- SecAccessControlRef—ACL
ACL defines both authentication and item accessibility
![Page 81: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/81.jpg)
Keychain ACL
New API for ACLs• (id)kSecAttrAccessControl:
- SecAccessControlRef—ACL
ACL defines both authentication and item accessibility
Accessibility
![Page 82: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/82.jpg)
Keychain ACL
New API for ACLs• (id)kSecAttrAccessControl:
- SecAccessControlRef—ACL
ACL defines both authentication and item accessibility
Accessibility• kSecAttrAccessible constants
![Page 83: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/83.jpg)
Keychain ACL
New API for ACLs• (id)kSecAttrAccessControl:
- SecAccessControlRef—ACL
ACL defines both authentication and item accessibility
Accessibility• kSecAttrAccessible constants
Authentication
![Page 84: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/84.jpg)
Keychain ACL
New API for ACLs• (id)kSecAttrAccessControl:
- SecAccessControlRef—ACL
ACL defines both authentication and item accessibility
Accessibility• kSecAttrAccessible constants
Authentication • Policy
![Page 85: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/85.jpg)
Keychain ACL
New API for ACLs• (id)kSecAttrAccessControl:
- SecAccessControlRef—ACL
ACL defines both authentication and item accessibility
Accessibility• kSecAttrAccessible constants
Authentication • Policy
• User presence (kSecAccessControlUserPresence)
![Page 86: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/86.jpg)
User PresenceAuthentication
Policy
Device configuration Policy evaluation Backup mechanism
![Page 87: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/87.jpg)
User PresenceAuthentication
Policy
Enforced by OS security domain
Device configuration Policy evaluation Backup mechanism
![Page 88: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/88.jpg)
User PresenceAuthentication
Policy
Enforced by OS security domain
Device configuration Policy evaluation Backup mechanism
Device without passcode
![Page 89: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/89.jpg)
User PresenceAuthentication
Policy
Enforced by OS security domain
Device configuration Policy evaluation Backup mechanism
Device without passcode No access No backup
![Page 90: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/90.jpg)
User PresenceAuthentication
Policy
Enforced by OS security domain
Device configuration Policy evaluation Backup mechanism
Device without passcode No access No backup
Device with passcode
![Page 91: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/91.jpg)
User PresenceAuthentication
Policy
Enforced by OS security domain
Device configuration Policy evaluation Backup mechanism
Device without passcode No access No backup
Device with passcode Requires passcode No backup
![Page 92: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/92.jpg)
User PresenceAuthentication
Policy
Enforced by OS security domain
Device configuration Policy evaluation Backup mechanism
Device without passcode No access No backup
Device with passcode Requires passcode No backup
Device with Touch ID
![Page 93: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/93.jpg)
User PresenceAuthentication
Policy
Enforced by OS security domain
Device configuration Policy evaluation Backup mechanism
Device without passcode No access No backup
Device with passcode Requires passcode No backup
Device with Touch ID Prefers Touch ID Allows passcode
![Page 94: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/94.jpg)
User PresenceAuthentication
Policy
Enforced by OS security domain
Device configuration Policy evaluation Backup mechanism
Device without passcode No access No backup
Device with passcode Requires passcode No backup
Device with Touch ID Prefers Touch ID Allows passcode
![Page 95: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/95.jpg)
Touch IDAuthentication
Touch ID—Easy to use authentication mechanism
![Page 96: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/96.jpg)
Touch IDAuthentication
Touch ID—Easy to use authentication mechanism
Touch ID operations—Inside secure enclave
![Page 97: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/97.jpg)
Touch IDAuthentication
Touch ID—Easy to use authentication mechanism
Touch ID operations—Inside secure enclave
Keychain keys operations—Inside secure enclave
![Page 98: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/98.jpg)
Touch IDAuthentication
Touch ID—Easy to use authentication mechanism
Touch ID operations—Inside secure enclave
Keychain keys operations—Inside secure enclave
Touch ID policy enforcement
![Page 99: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/99.jpg)
Touch IDAuthentication
Touch ID—Easy to use authentication mechanism
Touch ID operations—Inside secure enclave
Keychain keys operations—Inside secure enclave
Touch ID policy enforcement
Touch ID through LocalAuthentication
![Page 100: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/100.jpg)
Architecture
Application
Keychain Key Management
Operating SystemUser Space Secure Enclave
SecItem APIs
Security.framework
![Page 101: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/101.jpg)
Architecture
Application
Keychain Key Management
Operating SystemUser Space Secure Enclave
LocalAuthentication
SecItem APIs
Security.framework
![Page 102: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/102.jpg)
Architecture
Application
Keychain Key Management
Touch ID
Credential Management
Operating SystemUser Space Secure Enclave
LocalAuthentication
SecItem APIs
Security.framework
![Page 103: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/103.jpg)
User Interface
Standard user interface
![Page 104: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/104.jpg)
User Interface
Standard user interface
Custom prompt message recommended
![Page 105: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/105.jpg)
User Interface
Standard user interface
Custom prompt message recommended
Enter passcode option
![Page 106: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/106.jpg)
User Interface
Standard user interface
Custom prompt message recommended
Enter passcode option
Blocking keychain operation
![Page 107: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/107.jpg)
Item Accessibility with ACLsRecommendation
![Page 108: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/108.jpg)
Item Accessibility with ACLsRecommendation
“When unlocked” • kSecAttrAccessibleWhenUnlocked
• No passcode = item is not accessible
![Page 109: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/109.jpg)
Item Accessibility with ACLsRecommendation
“When unlocked” • kSecAttrAccessibleWhenUnlocked
• No passcode = item is not accessible
“When unlocked and passcode set” • kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
• No passcode = item is deleted
![Page 110: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/110.jpg)
Storing a Secret
!
!
!
!
!
NSData* secret = [@"top secret" dataWithEncoding:NSUTF8StringEncoding]; NSDictionary *query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecValueData: secret}; !
OSStatus status = SecItemAdd((CFDictionaryRef)query, nil);
![Page 111: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/111.jpg)
Storing a Secret
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlUserPresence, &error); !
NSData* secret = [@"top secret" dataWithEncoding:NSUTF8StringEncoding]; NSDictionary *query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecValueData: secret}; !
OSStatus status = SecItemAdd((CFDictionaryRef)query, nil);
![Page 112: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/112.jpg)
Storing a Secret
SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, kSecAccessControlUserPresence, &error); !
NSData* secret = [@"top secret" dataWithEncoding:NSUTF8StringEncoding]; NSDictionary *query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecValueData: secret, (id)kSecAttrAccessControl: (id)sacObject}; !
OSStatus status = SecItemAdd((CFDictionaryRef)query, nil);
![Page 113: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/113.jpg)
Reading a Secret
NSDictionary *query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecReturnData: @YES }; !
!
CFTypeRef dataTypeRef = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, &dataTypeRef);
![Page 114: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/114.jpg)
Reading a Secret
NSDictionary *query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecReturnData: @YES, (id)kSecUseOperationPrompt: @"Authenticate to login to server" }; !
CFTypeRef dataTypeRef = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, &dataTypeRef);
![Page 115: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/115.jpg)
Reading a Secret
NSDictionary *query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecReturnData: @YES, (id)kSecUseOperationPrompt: @"Authenticate to login to server" }; !
CFTypeRef dataTypeRef = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, &dataTypeRef);
![Page 116: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/116.jpg)
![Page 117: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/117.jpg)
Reading a Secret
NSDictionary *query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecReturnData: @YES, (id)kSecUseOperationPrompt: @"Authenticate to login to server" }; !
CFTypeRef dataTypeRef = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, &dataTypeRef);
![Page 118: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/118.jpg)
Reading a Secret
NSDictionary *query = @{ (id)kSecClass: (id)kSecClassGenericPassword, (id)kSecAttrService: @"myservice", (id)kSecAttrAccount: @"account name here", (id)kSecReturnData: @YES, (id)kSecUseOperationPrompt: @"Authenticate to login to server" }; !
CFTypeRef dataTypeRef = NULL; OSStatus status = SecItemCopyMatching((CFDictionaryRef)query, &dataTypeRef);
dispatch_async(dispatch_get_global_queue(…), ^(void){ !
!
!
});
![Page 119: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/119.jpg)
Things to Consider
![Page 120: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/120.jpg)
Things to Consider
Only foreground applications
![Page 121: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/121.jpg)
Things to Consider
Only foreground applications
Any query may require authentication
![Page 122: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/122.jpg)
Things to Consider
Only foreground applications
Any query may require authentication• SecItemAdd, SecItemUpdate
![Page 123: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/123.jpg)
Things to Consider
Only foreground applications
Any query may require authentication• SecItemAdd, SecItemUpdate
• Broad queries—Multiple items
![Page 124: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/124.jpg)
Things to Consider
Only foreground applications
Any query may require authentication• SecItemAdd, SecItemUpdate
• Broad queries—Multiple items
• No authentication mode—kSecUseNoAuthenticationUI
![Page 125: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/125.jpg)
Things to Consider
Only foreground applications
Any query may require authentication• SecItemAdd, SecItemUpdate
• Broad queries—Multiple items
• No authentication mode—kSecUseNoAuthenticationUI
ACL protected items—No synchronization, no backup
![Page 126: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/126.jpg)
LocalAuthentication
![Page 127: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/127.jpg)
Introduction
Credential collecting
LocalAuthentication for applications—Policy evaluation
![Page 128: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/128.jpg)
Architecture
Application LocalAuthentication
Operating SystemUser Space
![Page 129: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/129.jpg)
Architecture
Application LocalAuthentication
Touch ID
Credential Management
Operating SystemUser Space Secure Enclave
![Page 130: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/130.jpg)
LocalAuthentication Use CasesExamples
![Page 131: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/131.jpg)
LocalAuthentication Use CasesExamples
Verify that user is enrolled • Unlock features of application
• Parental check
![Page 132: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/132.jpg)
LocalAuthentication Use CasesExamples
Verify that user is enrolled • Unlock features of application
• Parental check
Extension to current application's authentication • First factor—Without passcode backup
• Second factor
![Page 133: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/133.jpg)
LocalAuthentication Security
![Page 134: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/134.jpg)
LocalAuthentication Security
Differs from Keychain
![Page 135: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/135.jpg)
LocalAuthentication Security
Differs from Keychain
• Trust the OS vs. trust the secure enclave
![Page 136: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/136.jpg)
LocalAuthentication Security
Differs from Keychain
• Trust the OS vs. trust the secure enclave
No direct access to secure enclave
![Page 137: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/137.jpg)
LocalAuthentication Security
Differs from Keychain
• Trust the OS vs. trust the secure enclave
No direct access to secure enclave
No access to registered fingers
![Page 138: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/138.jpg)
LocalAuthentication Security
Differs from Keychain
• Trust the OS vs. trust the secure enclave
No direct access to secure enclave
No access to registered fingers
No access to fingerprint image
![Page 139: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/139.jpg)
LocalAuthentication API
![Page 140: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/140.jpg)
LocalAuthentication API
Touch ID without keychain
![Page 141: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/141.jpg)
LocalAuthentication API
Touch ID without keychain• canEvaluatePolicy:
![Page 142: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/142.jpg)
LocalAuthentication API
Touch ID without keychain• canEvaluatePolicy:• evaluatePolicy:
![Page 143: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/143.jpg)
LocalAuthentication API
Touch ID without keychain• canEvaluatePolicy:• evaluatePolicy:
- Yes/no answer
![Page 144: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/144.jpg)
LocalAuthentication API
Touch ID without keychain• canEvaluatePolicy:• evaluatePolicy:
- Yes/no answer
• Policy—LAPolicyDeviceOwnerAuthenticationWithBiometrics
![Page 145: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/145.jpg)
LocalAuthentication API
Touch ID without keychain• canEvaluatePolicy:• evaluatePolicy:
- Yes/no answer
• Policy—LAPolicyDeviceOwnerAuthenticationWithBiometrics
- No passcode authentication
![Page 146: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/146.jpg)
LocalAuthentication API
Touch ID without keychain• canEvaluatePolicy:• evaluatePolicy:
- Yes/no answer
• Policy—LAPolicyDeviceOwnerAuthenticationWithBiometrics
- No passcode authentication
- Fallback to application’s own password entry UI
![Page 147: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/147.jpg)
Things to Remember
![Page 148: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/148.jpg)
Things to Remember
Only for foreground application
![Page 149: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/149.jpg)
Things to Remember
Only for foreground application
Policy evaluation may fail
![Page 150: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/150.jpg)
Things to Remember
Only for foreground application
Policy evaluation may fail
Application fallback mechanism
![Page 151: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/151.jpg)
Touch ID Available
//To check that policy can succeed beaded on device type and configuration !
LAContext *context = [LAContext new]; !
NSError *error; if([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]) { NSLog(@"Touch ID is available”); … } !
![Page 152: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/152.jpg)
Touch ID Available
//To check that policy can succeed beaded on device type and configuration !
LAContext *context = [LAContext new]; !
NSError *error; if([context canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics error:&error]) { NSLog(@"Touch ID is available”); … } !
![Page 153: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/153.jpg)
Touch ID Authentication
LAContext *context = [LAContext new]; [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *authenticationError) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { NSLog(@"Authentication failed"); } }];
![Page 154: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/154.jpg)
Touch ID Authentication
LAContext *context = [LAContext new]; [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *authenticationError) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { NSLog(@"Authentication failed"); } }];
![Page 155: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/155.jpg)
Touch ID Authentication
LAContext *context = [LAContext new]; [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *authenticationError) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { NSLog(@"Authentication failed"); } }];
![Page 156: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/156.jpg)
Touch ID Authentication
LAContext *context = [LAContext new]; [context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *authenticationError) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { NSLog(@"Authentication failed"); } }];
![Page 157: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/157.jpg)
![Page 158: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/158.jpg)
Touch ID Authentication
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *authenticationError) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { NSLog(@"Authentication failed"); } }];
![Page 159: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/159.jpg)
Touch ID Authentication
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *error) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { if (error.code == kLAErrorUserFallback) { [self passcodeFallback]; } else if (error.code == kLAErrorUserCancel) { [self cancelLogin]; } else { [self reportError]; } } }];
![Page 160: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/160.jpg)
Touch ID Authentication
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *error) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { if (error.code == kLAErrorUserFallback) { [self passcodeFallback]; } else if (error.code == kLAErrorUserCancel) { [self cancelLogin]; } else { [self reportError]; } } }];
![Page 161: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/161.jpg)
Touch ID Authentication
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *error) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { if (error.code == kLAErrorUserFallback) { [self passcodeFallback]; } else if (error.code == kLAErrorUserCancel) { [self cancelLogin]; } else { [self reportError]; } } }];
![Page 162: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/162.jpg)
Touch ID Authentication
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *error) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { if (error.code == kLAErrorUserFallback) { [self passcodeFallback]; } else if (error.code == kLAErrorUserCancel) { [self cancelLogin]; } else { [self reportError]; } } }];
![Page 163: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/163.jpg)
Touch ID Authentication
[context evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics localizedReason:@"To access your photos" reply:^(BOOL success, NSError *error) { if (success) { NSLog(@"Authenticated using Touch ID."); } else { if (error.code == kLAErrorUserFallback) { [self passcodeFallback]; } else if (error.code == kLAErrorUserCancel) { [self cancelLogin]; } else { [self reportError]; } } }];
![Page 164: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/164.jpg)
Demo
![Page 165: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/165.jpg)
Summary
![Page 166: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/166.jpg)
Summary
Keychain is here for your secrets
![Page 167: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/167.jpg)
Summary
Keychain is here for your secrets
What is new?
![Page 168: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/168.jpg)
Summary
Keychain is here for your secrets
What is new?
• New accessibility class
![Page 169: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/169.jpg)
Summary
Keychain is here for your secrets
What is new?
• New accessibility class
- Items invalidated with no passcode
![Page 170: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/170.jpg)
Summary
Keychain is here for your secrets
What is new?
• New accessibility class
- Items invalidated with no passcode
• Keychain item ACLs
![Page 171: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/171.jpg)
Summary
Keychain is here for your secrets
What is new?
• New accessibility class
- Items invalidated with no passcode
• Keychain item ACLs
- Protection using Touch ID or passcode
![Page 172: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/172.jpg)
Summary
Keychain is here for your secrets
What is new?
• New accessibility class
- Items invalidated with no passcode
• Keychain item ACLs
- Protection using Touch ID or passcode
• LocalAuthentication
![Page 173: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/173.jpg)
Summary
Keychain is here for your secrets
What is new?
• New accessibility class
- Items invalidated with no passcode
• Keychain item ACLs
- Protection using Touch ID or passcode
• LocalAuthentication
- To start Touch ID authentication
![Page 174: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/174.jpg)
More Information
Paul Danbold Core OS Technologies Evangelist [email protected]
!
Documentation iOS Security White Paper http://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf
Apple Developer Forums http://devforums.apple.com
![Page 175: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/175.jpg)
Related Sessions
• User Privacy in iOS and OS X Nob Hill Thursday 2:00PM
![Page 176: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/176.jpg)
Labs
• Security Lab Core OS Lab B Wednesday 11:30AM
• Security and Privacy Lab Core OS Lab B Thursday 3:15PM
![Page 177: Keychain and Authentication with Touch ID...Keychain and Authentication with Touch ID Learn how you can integrate Touch ID Core OS Session 711 Wade Benson Core OS Security Engineering](https://reader034.vdocuments.us/reader034/viewer/2022042317/5f0662807e708231d417ba86/html5/thumbnails/177.jpg)