[Touch ID Plugin] v3.2.3 allows biometric bypass on iOS
Forge component by OutSystems R&D
Published on 09 Dec 2020
Application Type

Since v3.2.3 the "bug fix" around iOS Policy means that Biometrics can now be bypassed by the user in favour of using the device passcode. While this may be useful for some, this has broken our authentication - we do *not* want users to be able to use the device passcode to authenticate into our mobile app, as we have no control over whether the user has set a sensible PIN on their device.

I suggest that the option for allowing fallback to device PIN should be exposed as an Option in the plugin, rather than forcing this change of behaviour.

Reference for change of behaviour:
v3.2.3 uses policy "LAPolicyDeviceOwnerAuthentication" which falls back on device passcode if biometry is not available or is skipped.

Earlier versions use policy "LAPolicyDeviceOwnerAuthenticationWithBiometrics" which enforces the use of biometrics. This is why we used the Touch ID plugin in the first place!

Link to the commit which changed this behaviour: