@tetherto/wdk-react-native-secure-storage 1.0.0-beta.2 → 1.0.0-beta.4

package/dist/keychainHelpers.d.ts

@@ -1,4 +1,5 @@
 import * as Keychain from 'react-native-keychain';
+import * as LocalAuthentication from 'expo-local-authentication';
 /**
  * Keychain options for setGenericPassword
  */
@@ -6,10 +7,18 @@ export type KeychainOptions = Parameters<typeof Keychain.setGenericPassword>[2];
 /**
  * Create keychain options with conditional access control
  *
- * @param deviceAuthAvailable - Whether device authentication (biometrics/PIN) is available
+ * On Android, BIOMETRY_ANY_OR_DEVICE_PASSCODE requires at least one biometric
+ * (e.g. fingerprint) to be enrolled for BiometricPrompt to render. If the device
+ * only has a PIN/pattern/password, BiometricPrompt never appears and the keychain
+ * read silently fails. We use the security level to pick the right access control:
+ * - BIOMETRIC_WEAK/STRONG -> BIOMETRY_ANY_OR_DEVICE_PASSCODE (prompt with PIN fallback)
+ * - SECRET                -> DEVICE_PASSCODE (PIN/pattern/password prompt directly)
+ * - NONE                  -> no access control
+ *
+ * @param securityLevel - The device security level from expo-local-authentication
  * @param requireAuth - Whether authentication should be required for this operation
  * @param syncable - Whether the value should sync across devices (default: true)
  * @returns Keychain options object with appropriate access control settings
  */
-export declare function createKeychainOptions(deviceAuthAvailable: boolean, requireAuth?: boolean, syncable?: boolean): KeychainOptions;
+export declare function createKeychainOptions(securityLevel: LocalAuthentication.SecurityLevel, requireAuth?: boolean, syncable?: boolean): KeychainOptions;
 //# sourceMappingURL=keychainHelpers.d.ts.map

package/dist/keychainHelpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keychainHelpers.d.ts","sourceRoot":"","sources":["../src/keychainHelpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,uBAAuB,CAAA;AAEjD;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAA;AAE/E;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,mBAAmB,EAAE,OAAO,EAC5B,WAAW,GAAE,OAAc,EAC3B,QAAQ,GAAE,OAAc,GACvB,eAAe,CAYjB"}
+{"version":3,"file":"keychainHelpers.d.ts","sourceRoot":"","sources":["../src/keychainHelpers.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,QAAQ,MAAM,uBAAuB,CAAA;AACjD,OAAO,KAAK,mBAAmB,MAAM,2BAA2B,CAAA;AAEhE;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAA;AAE/E;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,qBAAqB,CACnC,aAAa,EAAE,mBAAmB,CAAC,aAAa,EAChD,WAAW,GAAE,OAAc,EAC3B,QAAQ,GAAE,OAAc,GACvB,eAAe,CAkBjB"}

package/dist/keychainHelpers.js

@@ -35,22 +35,35 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createKeychainOptions = createKeychainOptions;
 const Keychain = __importStar(require("react-native-keychain"));
+const LocalAuthentication = __importStar(require("expo-local-authentication"));
 /**
  * Create keychain options with conditional access control
  *
- * @param deviceAuthAvailable - Whether device authentication (biometrics/PIN) is available
+ * On Android, BIOMETRY_ANY_OR_DEVICE_PASSCODE requires at least one biometric
+ * (e.g. fingerprint) to be enrolled for BiometricPrompt to render. If the device
+ * only has a PIN/pattern/password, BiometricPrompt never appears and the keychain
+ * read silently fails. We use the security level to pick the right access control:
+ * - BIOMETRIC_WEAK/STRONG -> BIOMETRY_ANY_OR_DEVICE_PASSCODE (prompt with PIN fallback)
+ * - SECRET                -> DEVICE_PASSCODE (PIN/pattern/password prompt directly)
+ * - NONE                  -> no access control
+ *
+ * @param securityLevel - The device security level from expo-local-authentication
  * @param requireAuth - Whether authentication should be required for this operation
  * @param syncable - Whether the value should sync across devices (default: true)
  * @returns Keychain options object with appropriate access control settings
  */
-function createKeychainOptions(deviceAuthAvailable, requireAuth = true, syncable = true) {
+function createKeychainOptions(securityLevel, requireAuth = true, syncable = true) {
     const options = {
         accessible: syncable
             ? Keychain.ACCESSIBLE.WHEN_UNLOCKED
             : Keychain.ACCESSIBLE.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
     };
-    if (requireAuth && deviceAuthAvailable) {
-        options.accessControl = Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE;
+    const isBiometricSecurityLevel = securityLevel === LocalAuthentication.SecurityLevel.BIOMETRIC_WEAK ||
+        securityLevel === LocalAuthentication.SecurityLevel.BIOMETRIC_STRONG;
+    if (requireAuth && securityLevel !== LocalAuthentication.SecurityLevel.NONE) {
+        options.accessControl = isBiometricSecurityLevel
+            ? Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE
+            : Keychain.ACCESS_CONTROL.DEVICE_PASSCODE;
     }
     return options;
 }

package/dist/secureStorage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"secureStorage.d.ts","sourceRoot":"","sources":["../src/secureStorage.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,MAAM,EAAiB,MAAM,UAAU,CAAA;AAoBhD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,qBAAqB,CAAC,EAAE,OAAO,CAAA;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,cAAc,CAAC,EAAE,qBAAqB,CAAA;IACtC,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,aAAa;IAC5B,uBAAuB,IAAI,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3C,oBAAoB,IAAI,OAAO,CAAC,OAAO,CAAC,CAAA;IACxC,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC,CAAA;IAChC,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACrG,gBAAgB,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IACjG,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC3E,gBAAgB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IAC7D,mBAAmB,CAAC,gBAAgB,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACjF,mBAAmB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IAChE,eAAe,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAC5C,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;QAC5B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAA;QAC/B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;KAC7B,CAAC,CAAA;IACF,SAAS,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAChD,YAAY,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAChD;;;;;;;;;OASG;IACH,OAAO,IAAI,IAAI,CAAA;CAChB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE,oBAAoB,GAAG,aAAa,CAsjBjF"}
+{"version":3,"file":"secureStorage.d.ts","sourceRoot":"","sources":["../src/secureStorage.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,MAAM,EAAiB,MAAM,UAAU,CAAA;AAoBhD;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,qBAAqB,CAAC,EAAE,OAAO,CAAA;CAChC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,iBAAiB,CAAC,EAAE,OAAO,CAAA;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,cAAc,CAAC,EAAE,qBAAqB,CAAA;IACtC,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,aAAa;IAC5B,uBAAuB,IAAI,OAAO,CAAC,OAAO,CAAC,CAAA;IAC3C,oBAAoB,IAAI,OAAO,CAAC,OAAO,CAAC,CAAA;IACxC,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC,CAAA;IAChC,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACrG,gBAAgB,CAAC,UAAU,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,wBAAwB,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IACjG,gBAAgB,CAAC,aAAa,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAC3E,gBAAgB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IAC7D,mBAAmB,CAAC,gBAAgB,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IACjF,mBAAmB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAAA;IAChE,eAAe,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;QAC5C,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;QAC5B,gBAAgB,EAAE,MAAM,GAAG,IAAI,CAAA;QAC/B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;KAC7B,CAAC,CAAA;IACF,SAAS,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAChD,YAAY,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAChD;;;;;;;;;OASG;IACH,OAAO,IAAI,IAAI,CAAA;CAChB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,mBAAmB,CAAC,OAAO,CAAC,EAAE,oBAAoB,GAAG,aAAa,CAmjBjF"}

package/dist/secureStorage.js

@@ -216,11 +216,9 @@ function createSecureStorage(options) {
                 getDeviceSecurityLevel(),
                 (0, utils_1.getStorageKey)(baseKey, identifier),
             ]);
-            // Device has authentication if security level is not NONE
-            const deviceAuthAvailable = securityLevel !== LocalAuthentication.SecurityLevel.NONE;
             // If auth was requested but device has no security, log a warning but proceed without auth
             // Data will still be encrypted at rest by the OS, just not protected by user authentication
-            if (requireAuth && !deviceAuthAvailable) {
+            if (requireAuth && securityLevel === LocalAuthentication.SecurityLevel.NONE) {
                 logger.warn('Device has no security configured. Storing data without authentication protection.', {
                     baseKey,
                     identifier,
@@ -230,7 +228,7 @@ function createSecureStorage(options) {
             logger.debug('Storing secure value', { baseKey, identifier, requireAuth, syncable });
             const result = await (0, utils_1.withTimeout)(Keychain.setGenericPassword(baseKey, value, {
                 service: storageKey,
-                ...(0, keychainHelpers_1.createKeychainOptions)(deviceAuthAvailable, requireAuth, syncable),
+                ...(0, keychainHelpers_1.createKeychainOptions)(securityLevel, requireAuth, syncable),
             }), timeoutMs, `setSecureValue(${baseKey})`);
             if (result === false) {
                 throw new errors_1.KeychainWriteError(`Failed to store ${baseKey}`);
@@ -290,12 +288,10 @@ function createSecureStorage(options) {
                 getDeviceSecurityLevel(),
                 (0, utils_1.getStorageKey)(baseKey, identifier),
             ]);
-            // Device has authentication if security level is not NONE
-            const deviceAuthAvailable = securityLevel !== LocalAuthentication.SecurityLevel.NONE;
             // If auth was requested but device has no security, read without auth
             // Data was stored without auth protection on this device, so we can read it without auth
-            const actuallyRequireAuth = requireAuth && deviceAuthAvailable;
-            if (requireAuth && !deviceAuthAvailable) {
+            const actuallyRequireAuth = requireAuth && securityLevel !== LocalAuthentication.SecurityLevel.NONE;
+            if (requireAuth && securityLevel === LocalAuthentication.SecurityLevel.NONE) {
                 logger.warn('Device has no security configured. Reading data without authentication.', {
                     baseKey,
                     identifier,
@@ -303,9 +299,11 @@ function createSecureStorage(options) {
                 });
             }
             logger.debug('Retrieving secure value', { baseKey, identifier, requireAuth, actuallyRequireAuth });
+            const readOptions = (0, keychainHelpers_1.createKeychainOptions)(securityLevel, actuallyRequireAuth);
             const keychainOptions = actuallyRequireAuth
                 ? {
                     service: storageKey,
+                    accessControl: readOptions?.accessControl,
                     authenticationPrompt: {
                         title: authOptions.promptMessage || 'Authenticate to access your wallet',
                         cancel: authOptions.cancelLabel || 'Cancel',
@@ -487,8 +485,8 @@ function createSecureStorage(options) {
          * Returns false only when wallet is definitively not found. Errors are thrown.
          *
          * IMPORTANT: Only checks encrypted seed, NOT encryption key.
-         * Encryption key is protected with biometrics, so checking it would trigger
-         * an authentication prompt. Encrypted seed is stored without auth requirement,
+         * Encryption key can be protected with authentication, so checking it would
+         * trigger an authentication prompt. Encrypted seed is stored without auth requirement,
          * so checking it won't trigger biometrics.
          *
          * @param identifier - Optional identifier (e.g., email) to support multiple wallets
@@ -499,8 +497,8 @@ function createSecureStorage(options) {
          */
         async hasWallet(identifier) {
             // ONLY check encrypted seed - it does NOT require biometrics
-            // Encryption key is protected with ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE,
-            // so checking it would trigger a biometric prompt with the default
+            // Encryption key can be protected with keychain access control,
+            // so checking it could trigger an authentication prompt with the default
             // "Authenticate to retrieve secret" message from react-native-keychain.
             // By only checking the seed (which is stored without auth requirement),
             // we can determine wallet existence without triggering biometrics.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tetherto/wdk-react-native-secure-storage",
-  "version": "1.0.0-beta.2",
+  "version": "1.0.0-beta.4",
   "description": "Secure storage abstractions for React Native - provides secure storage for sensitive data (encrypted seeds, keys) using react-native-keychain",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -51,8 +51,8 @@
   "author": "Tetherto",
   "license": "Apache-2.0",
   "dependencies": {
-    "expo-crypto": "^15.0.8",
-    "expo-local-authentication": "~17.0.8",
+    "expo-crypto": "^55.0.14",
+    "expo-local-authentication": "^55.0.13",
     "react-native-keychain": "^10.0.0"
   },
   "peerDependencies": {
@@ -68,5 +68,10 @@
     "prettier": "^3.0.0",
     "ts-jest": "^29.1.0",
     "typescript": "^5.3.3"
+  },
+  "overrides": {
+    "@typescript-eslint/typescript-estree": {
+      "minimatch": "9.0.7"
+    }
   }
 }

package/src/__tests__/__mocks__/expo-local-authentication.ts

@@ -15,7 +15,7 @@ export function hasHardwareAsync(): Promise<boolean> {
   return Promise.resolve(mockHasHardware)
 }
 
-export function authenticateAsync(options?: {
+export function authenticateAsync(_options?: {
   promptMessage?: string
   cancelLabel?: string
   disableDeviceFallback?: boolean

package/src/__tests__/__mocks__/react-native-keychain.ts

@@ -10,9 +10,10 @@ export const ACCESSIBLE = {
 
 export const ACCESS_CONTROL = {
   BIOMETRY_ANY_OR_DEVICE_PASSCODE: 'BIOMETRY_ANY_OR_DEVICE_PASSCODE',
+  DEVICE_PASSCODE: 'DEVICE_PASSCODE',
 }
 
-let mockStorage: Map<string, { username: string; password: string }> = new Map()
+const mockStorage: Map<string, { username: string; password: string }> = new Map()
 
 export function setGenericPassword(
   username: string,

package/src/__tests__/keychainHelpers.test.ts

@@ -0,0 +1,108 @@
+import { createKeychainOptions } from '../keychainHelpers'
+import * as Keychain from 'react-native-keychain'
+import * as LocalAuthentication from 'expo-local-authentication'
+
+jest.mock('react-native-keychain', () => ({
+  ACCESSIBLE: {
+    WHEN_UNLOCKED: 'WHEN_UNLOCKED',
+    WHEN_UNLOCKED_THIS_DEVICE_ONLY: 'WHEN_UNLOCKED_THIS_DEVICE_ONLY',
+  },
+  ACCESS_CONTROL: {
+    BIOMETRY_ANY_OR_DEVICE_PASSCODE: 'BIOMETRY_ANY_OR_DEVICE_PASSCODE',
+    DEVICE_PASSCODE: 'DEVICE_PASSCODE',
+  },
+}))
+
+jest.mock('expo-local-authentication', () => ({
+  SecurityLevel: {
+    NONE: 0,
+    SECRET: 1,
+    BIOMETRIC: 2,
+    BIOMETRIC_WEAK: 2,
+    BIOMETRIC_STRONG: 3,
+  },
+}))
+
+const { SecurityLevel } = LocalAuthentication
+
+describe('createKeychainOptions', () => {
+  describe('access control selection by security level', () => {
+    it('should use BIOMETRY_ANY_OR_DEVICE_PASSCODE when security level is BIOMETRIC_WEAK', () => {
+      const options = createKeychainOptions(SecurityLevel.BIOMETRIC_WEAK, true, true)
+
+      expect(options).toHaveProperty(
+        'accessControl',
+        Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE
+      )
+    })
+
+    it('should use BIOMETRY_ANY_OR_DEVICE_PASSCODE when security level is BIOMETRIC_STRONG', () => {
+      const options = createKeychainOptions(SecurityLevel.BIOMETRIC_STRONG, true, true)
+
+      expect(options).toHaveProperty(
+        'accessControl',
+        Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE
+      )
+    })
+
+    it('should use DEVICE_PASSCODE when security level is SECRET (PIN only)', () => {
+      const options = createKeychainOptions(SecurityLevel.SECRET, true, true)
+
+      expect(options).toHaveProperty('accessControl', Keychain.ACCESS_CONTROL.DEVICE_PASSCODE)
+    })
+
+    it('should not set accessControl when security level is NONE', () => {
+      const options = createKeychainOptions(SecurityLevel.NONE, true, true)
+
+      expect(options).not.toHaveProperty('accessControl')
+    })
+  })
+
+  describe('requireAuth=false bypasses access control', () => {
+    it('should not set accessControl when requireAuth is false even with BIOMETRIC_WEAK', () => {
+      const options = createKeychainOptions(SecurityLevel.BIOMETRIC_WEAK, false, true)
+
+      expect(options).not.toHaveProperty('accessControl')
+    })
+
+    it('should not set accessControl when requireAuth is false even with SECRET', () => {
+      const options = createKeychainOptions(SecurityLevel.SECRET, false, true)
+
+      expect(options).not.toHaveProperty('accessControl')
+    })
+  })
+
+  describe('accessible flag based on syncable', () => {
+    it('should use WHEN_UNLOCKED when syncable is true', () => {
+      const options = createKeychainOptions(SecurityLevel.BIOMETRIC_WEAK, true, true)
+
+      expect(options).toHaveProperty('accessible', Keychain.ACCESSIBLE.WHEN_UNLOCKED)
+    })
+
+    it('should use WHEN_UNLOCKED_THIS_DEVICE_ONLY when syncable is false', () => {
+      const options = createKeychainOptions(SecurityLevel.BIOMETRIC_WEAK, true, false)
+
+      expect(options).toHaveProperty(
+        'accessible',
+        Keychain.ACCESSIBLE.WHEN_UNLOCKED_THIS_DEVICE_ONLY
+      )
+    })
+  })
+
+  describe('defaults', () => {
+    it('should default requireAuth to true', () => {
+      const options = createKeychainOptions(SecurityLevel.BIOMETRIC_WEAK)
+
+      expect(options).toHaveProperty(
+        'accessControl',
+        Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE
+      )
+    })
+
+    it('should default syncable to true', () => {
+      const options = createKeychainOptions(SecurityLevel.NONE)
+
+      expect(options).toHaveProperty('accessible', Keychain.ACCESSIBLE.WHEN_UNLOCKED)
+    })
+  })
+})

package/src/__tests__/secureStorage.test.ts

@@ -27,6 +27,7 @@ jest.mock('react-native-keychain', () => ({
   },
   ACCESS_CONTROL: {
     BIOMETRY_ANY_OR_DEVICE_PASSCODE: 'BIOMETRY_ANY_OR_DEVICE_PASSCODE',
+    DEVICE_PASSCODE: 'DEVICE_PASSCODE',
   },
   STORAGE_TYPE: {
     AES_CBC: 'KeystoreAESCBC',
@@ -48,6 +49,8 @@ jest.mock('expo-local-authentication', () => ({
     NONE: 0,
     SECRET: 1,
     BIOMETRIC: 2,
+    BIOMETRIC_WEAK: 2,
+    BIOMETRIC_STRONG: 3,
   },
 }))
 
@@ -90,8 +93,8 @@ describe('SecureStorage', () => {
     mockLocalAuth.isEnrolledAsync.mockResolvedValue(true)
     mockLocalAuth.hasHardwareAsync.mockResolvedValue(true)
     mockLocalAuth.authenticateAsync.mockResolvedValue({ success: true })
-    // Default to BIOMETRIC security level (device has authentication)
-    ;(mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(2) // SecurityLevel.BIOMETRIC
+    // Default to biometric security level (device has authentication)
+    ;(mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(2) // SecurityLevel.BIOMETRIC_WEAK
     
     mockKeychain.setGenericPassword.mockResolvedValue({ 
       service: 'test', 
@@ -185,7 +188,17 @@ describe('SecureStorage', () => {
     });
 
     it('should store encryption key with biometrics by default', async () => {
-      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(2); // BIOMETRIC
+      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(2); // BIOMETRIC_WEAK
+
+      await storage.setEncryptionKey('test-key');
+
+      expect(mockKeychain.setGenericPassword).toHaveBeenCalledTimes(1);
+      const options = mockKeychain.setGenericPassword.mock.calls[0][2];
+      expect(options).toHaveProperty('accessControl', Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE);
+    });
+
+    it('should store encryption key with biometrics when security level is BIOMETRIC_STRONG', async () => {
+      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(3); // BIOMETRIC_STRONG
 
       await storage.setEncryptionKey('test-key');
 
@@ -195,7 +208,7 @@ describe('SecureStorage', () => {
     });
 
     it('should store encryption key with biometrics when requireBiometrics is true', async () => {
-        (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(2); // BIOMETRIC
+        (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(2); // BIOMETRIC_WEAK
 
         await storage.setEncryptionKey('test-key', undefined, { requireBiometrics: true });
 
@@ -203,6 +216,26 @@ describe('SecureStorage', () => {
         const options = mockKeychain.setGenericPassword.mock.calls[0][2];
         expect(options).toHaveProperty('accessControl', Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE);
     });
+
+    it('should use DEVICE_PASSCODE when device has PIN but no biometrics', async () => {
+      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(1); // SECRET
+
+      await storage.setEncryptionKey('test-key');
+
+      expect(mockKeychain.setGenericPassword).toHaveBeenCalledTimes(1);
+      const options = mockKeychain.setGenericPassword.mock.calls[0][2];
+      expect(options).toHaveProperty('accessControl', Keychain.ACCESS_CONTROL.DEVICE_PASSCODE);
+    });
+
+    it('should not set accessControl when device has no security', async () => {
+      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(0); // NONE
+
+      await storage.setEncryptionKey('test-key');
+
+      expect(mockKeychain.setGenericPassword).toHaveBeenCalledTimes(1);
+      const options = mockKeychain.setGenericPassword.mock.calls[0][2];
+      expect(options).not.toHaveProperty('accessControl');
+    });
   })
 
   describe('getEncryptionKey', () => {
@@ -280,23 +313,63 @@ describe('SecureStorage', () => {
     });
 
     it('should retrieve key with authentication by default', async () => {
-      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(2); // BIOMETRIC
+      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(2); // BIOMETRIC_WEAK
       
       await storage.getEncryptionKey();
 
       expect(mockKeychain.getGenericPassword).toHaveBeenCalledTimes(1);
       const options = mockKeychain.getGenericPassword.mock.calls[0][0];
       expect(options).toHaveProperty('authenticationPrompt');
+      expect(options).toHaveProperty('accessControl', Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE);
     });
 
-    it('should retrieve key with authentication when requireBiometrics is true', async () => {
-      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(2); // BIOMETRIC
+    it('should retrieve key with BIOMETRY_ANY_OR_DEVICE_PASSCODE when BIOMETRIC_STRONG', async () => {
+      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(3); // BIOMETRIC_STRONG
       
-      await storage.getEncryptionKey(undefined, { requireBiometrics: true });
+      await storage.getEncryptionKey();
     
       expect(mockKeychain.getGenericPassword).toHaveBeenCalledTimes(1);
       const options = mockKeychain.getGenericPassword.mock.calls[0][0];
       expect(options).toHaveProperty('authenticationPrompt');
+      expect(options).toHaveProperty('accessControl', Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE);
+    });
+
+    it('should retrieve key with DEVICE_PASSCODE when device has PIN but no biometrics', async () => {
+      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(1); // SECRET
+
+      mockKeychain.getGenericPassword.mockResolvedValue({
+        service: 'test',
+        username: 'wallet_encryption_key',
+        password: 'test-key',
+        storage: Keychain.STORAGE_TYPE.AES_GCM,
+      })
+
+      const key = await storage.getEncryptionKey();
+
+      expect(key).toBe('test-key');
+      expect(mockKeychain.getGenericPassword).toHaveBeenCalledTimes(1);
+      const options = mockKeychain.getGenericPassword.mock.calls[0][0];
+      expect(options).toHaveProperty('authenticationPrompt');
+      expect(options).toHaveProperty('accessControl', Keychain.ACCESS_CONTROL.DEVICE_PASSCODE);
+    });
+
+    it('should retrieve key without authentication when device has no security', async () => {
+      (mockLocalAuth as any).getEnrolledLevelAsync.mockResolvedValue(0); // NONE
+
+      mockKeychain.getGenericPassword.mockResolvedValue({
+        service: 'test',
+        username: 'wallet_encryption_key',
+        password: 'test-key',
+        storage: Keychain.STORAGE_TYPE.AES_GCM,
+      })
+
+      const key = await storage.getEncryptionKey();
+
+      expect(key).toBe('test-key');
+      expect(mockKeychain.getGenericPassword).toHaveBeenCalledTimes(1);
+      const options = mockKeychain.getGenericPassword.mock.calls[0][0];
+      expect(options).not.toHaveProperty('authenticationPrompt');
+      expect(options).not.toHaveProperty('accessControl');
     });
   })
 

package/src/keychainHelpers.ts

@@ -1,4 +1,5 @@
 import * as Keychain from 'react-native-keychain'
+import * as LocalAuthentication from 'expo-local-authentication'
 
 /**
  * Keychain options for setGenericPassword
@@ -8,13 +9,21 @@ export type KeychainOptions = Parameters<typeof Keychain.setGenericPassword>[2]
 /**
  * Create keychain options with conditional access control
  * 
- * @param deviceAuthAvailable - Whether device authentication (biometrics/PIN) is available
+ * On Android, BIOMETRY_ANY_OR_DEVICE_PASSCODE requires at least one biometric
+ * (e.g. fingerprint) to be enrolled for BiometricPrompt to render. If the device
+ * only has a PIN/pattern/password, BiometricPrompt never appears and the keychain
+ * read silently fails. We use the security level to pick the right access control:
+ * - BIOMETRIC_WEAK/STRONG -> BIOMETRY_ANY_OR_DEVICE_PASSCODE (prompt with PIN fallback)
+ * - SECRET                -> DEVICE_PASSCODE (PIN/pattern/password prompt directly)
+ * - NONE                  -> no access control
+ * 
+ * @param securityLevel - The device security level from expo-local-authentication
  * @param requireAuth - Whether authentication should be required for this operation
  * @param syncable - Whether the value should sync across devices (default: true)
  * @returns Keychain options object with appropriate access control settings
  */
 export function createKeychainOptions(
-  deviceAuthAvailable: boolean,
+  securityLevel: LocalAuthentication.SecurityLevel,
   requireAuth: boolean = true,
   syncable: boolean = true
 ): KeychainOptions {
@@ -24,8 +33,14 @@ export function createKeychainOptions(
       : Keychain.ACCESSIBLE.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
   }
   
-  if (requireAuth && deviceAuthAvailable) {
-    options.accessControl = Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE
+  const isBiometricSecurityLevel =
+    securityLevel === LocalAuthentication.SecurityLevel.BIOMETRIC_WEAK ||
+    securityLevel === LocalAuthentication.SecurityLevel.BIOMETRIC_STRONG
+  
+  if (requireAuth && securityLevel !== LocalAuthentication.SecurityLevel.NONE) {
+    options.accessControl = isBiometricSecurityLevel
+      ? Keychain.ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE
+      : Keychain.ACCESS_CONTROL.DEVICE_PASSCODE
   }
   
   return options

package/src/secureStorage.ts

@@ -292,12 +292,9 @@ export function createSecureStorage(options?: SecureStorageOptions): SecureStora
         getStorageKey(baseKey, identifier),
       ])
       
-      // Device has authentication if security level is not NONE
-      const deviceAuthAvailable = securityLevel !== LocalAuthentication.SecurityLevel.NONE
-      
       // If auth was requested but device has no security, log a warning but proceed without auth
       // Data will still be encrypted at rest by the OS, just not protected by user authentication
-      if (requireAuth && !deviceAuthAvailable) {
+      if (requireAuth && securityLevel === LocalAuthentication.SecurityLevel.NONE) {
         logger.warn('Device has no security configured. Storing data without authentication protection.', { 
           baseKey, 
           identifier,
@@ -310,7 +307,7 @@ export function createSecureStorage(options?: SecureStorageOptions): SecureStora
       const result = await withTimeout(
         Keychain.setGenericPassword(baseKey, value, {
           service: storageKey,
-          ...createKeychainOptions(deviceAuthAvailable, requireAuth, syncable),
+          ...createKeychainOptions(securityLevel, requireAuth, syncable),
         }),
         timeoutMs,
         `setSecureValue(${baseKey})`
@@ -395,14 +392,11 @@ export function createSecureStorage(options?: SecureStorageOptions): SecureStora
         getStorageKey(baseKey, identifier),
       ])
       
-      // Device has authentication if security level is not NONE
-      const deviceAuthAvailable = securityLevel !== LocalAuthentication.SecurityLevel.NONE
-      
       // If auth was requested but device has no security, read without auth
       // Data was stored without auth protection on this device, so we can read it without auth
-      const actuallyRequireAuth = requireAuth && deviceAuthAvailable
+      const actuallyRequireAuth = requireAuth && securityLevel !== LocalAuthentication.SecurityLevel.NONE
       
-      if (requireAuth && !deviceAuthAvailable) {
+      if (requireAuth && securityLevel === LocalAuthentication.SecurityLevel.NONE) {
         logger.warn('Device has no security configured. Reading data without authentication.', { 
           baseKey, 
           identifier,
@@ -412,9 +406,12 @@ export function createSecureStorage(options?: SecureStorageOptions): SecureStora
       
       logger.debug('Retrieving secure value', { baseKey, identifier, requireAuth, actuallyRequireAuth })
 
+      const readOptions = createKeychainOptions(securityLevel, actuallyRequireAuth)
+
       const keychainOptions = actuallyRequireAuth
         ? {
             service: storageKey,
+            accessControl: readOptions?.accessControl,
             authenticationPrompt: {
               title: authOptions.promptMessage || 'Authenticate to access your wallet',
               cancel: authOptions.cancelLabel || 'Cancel',
@@ -618,8 +615,8 @@ export function createSecureStorage(options?: SecureStorageOptions): SecureStora
      * Returns false only when wallet is definitively not found. Errors are thrown.
      * 
      * IMPORTANT: Only checks encrypted seed, NOT encryption key.
-     * Encryption key is protected with biometrics, so checking it would trigger
-     * an authentication prompt. Encrypted seed is stored without auth requirement,
+     * Encryption key can be protected with authentication, so checking it would
+     * trigger an authentication prompt. Encrypted seed is stored without auth requirement,
      * so checking it won't trigger biometrics.
      * 
      * @param identifier - Optional identifier (e.g., email) to support multiple wallets
@@ -630,8 +627,8 @@ export function createSecureStorage(options?: SecureStorageOptions): SecureStora
      */
     async hasWallet(identifier?: string): Promise<boolean> {
       // ONLY check encrypted seed - it does NOT require biometrics
-      // Encryption key is protected with ACCESS_CONTROL.BIOMETRY_ANY_OR_DEVICE_PASSCODE,
-      // so checking it would trigger a biometric prompt with the default
+      // Encryption key can be protected with keychain access control,
+      // so checking it could trigger an authentication prompt with the default
       // "Authenticate to retrieve secret" message from react-native-keychain.
       // By only checking the seed (which is stored without auth requirement),
       // we can determine wallet existence without triggering biometrics.