getGenericPassword does not require authentication if the phone's Keychain was recently unlocked from another biometric authentication event

Question

getGenericPassword does not require authentication if the phone's Keychain was recently unlocked from another biometric authentication event

ShepSims opened this issue a year ago · 2 comments

The opening screen of my application tries the following immediately upon launch or forgrounding

const result = await Keychain.getGenericPassword({
service: 'myapp',
authenticationPrompt: {
title: 'Biometric Sign In',
subtitle: 'Confirm biometrics to continue.',
},
});

This works perfectly in almost all cases, however, if my app is in the foreground when the user unlocks their phone, it appears that the biometric success is persisted for a few moments, and thus they are not prompted again for their biometrics to unlock the Keychain.

Wrapping the Keychain statement in a timeout that forces the app to wait 1 second before trying to get the item from storage as below does fix this issue, however, I don't believe this should be necessary.

setTimeout(async () => {
const result = await Keychain.getGenericPassword({
service: 'molo',
authenticationPrompt: {
title: 'Biometric Sign In',
subtitle: 'Confirm biometrics to continue.',
},
});
},1000}

This appears to be a fairly large security flaw, especially and I was wondering if anyone else had experienced it, or had any ideas as to why this is happening in the first place.

Answer 1 · 2023-05-02T08:51:53.000Z

Facing the same issue. Thats a really high risk problem which should get addressed soon.

Answer 2 · 2023-05-02T08:53:47.000Z

Experiencing same issue on Android!