Biometric authentication is an interesting process on iOS, and your article presents a great introduction to it. That said, there are a few additional issues of which developers should be aware.
“All of this means you can comfortably hand over the responsibility of handling login information to the Keychain…”
This is perhaps the biggest problem. It should be noted that tools exist to examine and dump an unlocked keychain. As such, it’s highly recommended passwords and other confidential information be encrypted by the application PRIOR to storing such data in the keychain, and decrypting it upon retrieval.
Failure to encrypt confidential data going into the keychain can and will be flagged as a security issue should your app ever undergo penetration testing.
Also, Apple’s sample keychain code fails to set kSecAttrAccessible. This variable is used to specify when the application needs access to that data. Developers should be careful about keychain access and always use the most restrictive option suitable to their needs.
Next, point is that LABiometryType is only available on iOS 11. If you app supports iOS 10 or lower, you’ll need to wrap your LABiometryType check in a #available(iOS 11.0, *) condition test.
Finally, as of iOS 10 canEvaluatePolicy() will return LAErrorTouchIDLockout if the user has too many failed authentication attempts. More to the point, the system will no longer automatically present the PIN entry screen to correct this problem.
If you want to allow the user to correct touch/face id lockout issues, you need to check canEvaluatePolicy() for an LAErrorTouchIDLockout error, and then retry the process using LAPolicyDeviceOwnerAuthentication.
canEvaluatePolicy() may also return LAErrorTouchIDLockout, making it a somewhat problematic function call. If locked out, biometric authentication IS available on the device, but canEvaluatePolicy() will fail as mentioned above (even though pin access is available).
Developers should be also aware that Apple may lie to the app about whether or not biometric authentication is available on a given device. Especially if the user has previously blocked app access.