Search code examples
iosios8fingerprinttouch-id

ios8 TouchID detection if fingerprint was added

Im digging into Apple's Touch ID, more precisely the Local Authenticator. The documentation as of now is pretty sparse. Its mainly just this:

LAContext *myContext = [[LAContext alloc] init];
NSError *authError = nil;
NSString *myLocalizedReasonString = <#String explaining why app needs authentication#>;

if ([myContext canEvaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics    error:&authError]) {
[myContext evaluatePolicy:LAPolicyDeviceOwnerAuthenticationWithBiometrics
              localizedReason:myLocalizedReasonString
                        reply:^(BOOL success, NSError *error) {
        if (success) {
            // User authenticated successfully, take appropriate action
        } else {
            // User did not authenticate successfully, look at error and take appropriate action
        }
    }];
} else {
// Could not evaluate policy; look at authError and present an appropriate message to user
}

as taken from https://developer.apple.com/documentation/localauthentication

The idea of using your fingerprint for authentication is nice. But I can add fingerprints in the device if I know the passcode. And its very easy to get the passcode, like you sit in the train next to ur victim and watch him/her enter the passcode.

I want to use the fingerprint as a way of secure authentication but want to be able to detect if new fingerprints were added since the last time I requested the fingerprint.

Apple is doing this for the AppStore. If you want to authenticate a transaction in the AppStore and have added a new Fingerprint since your last transaction, the AppStore requests your AppleId-Password. This is sane behaviour, because the phone might have been taken by someone else who knows the passcode and added his own fingerprint to buy something expensive.

My Question: Can I detect if a new fingerprint was added since the last time that I used Local Authenticator?

Solution

  • In short; no.

    In a bit more detail; the LocalAuthentication framework is a tightly-guarded black box. The information you get back from it is very limited. Your interaction with it goes something like this:

    • Ask it if it's able to authenticate for some type of policy (there is only 1 available at time of writing - Biometrics (Touch ID))
    • If it can, ask it to actually do it
    • The system takes over for the actual authentication
    • It lets you know if the authentication was successful or not (if not, it tells you why)

    You have no concept of the actual authentication process (which finger was used, for example). This, of course, is by design. Apple does not want, nor need, to give you access to such information.