getGenericPassword does not require authentication if the phone's Keychain was recently unlocked from another biometric authentication event
ShepSims opened this issue · 2 comments
The opening screen of my application tries the following immediately upon launch or forgrounding
const result = await Keychain.getGenericPassword({
service: 'myapp',
authenticationPrompt: {
title: 'Biometric Sign In',
subtitle: 'Confirm biometrics to continue.',
},
});
This works perfectly in almost all cases, however, if my app is in the foreground when the user unlocks their phone, it appears that the biometric success is persisted for a few moments, and thus they are not prompted again for their biometrics to unlock the Keychain.
Wrapping the Keychain statement in a timeout that forces the app to wait 1 second before trying to get the item from storage as below does fix this issue, however, I don't believe this should be necessary.
setTimeout(async () => {
const result = await Keychain.getGenericPassword({
service: 'molo',
authenticationPrompt: {
title: 'Biometric Sign In',
subtitle: 'Confirm biometrics to continue.',
},
});
},1000}
This appears to be a fairly large security flaw, especially and I was wondering if anyone else had experienced it, or had any ideas as to why this is happening in the first place.
Facing the same issue. Thats a really high risk problem which should get addressed soon.
Experiencing same issue on Android!