Hi, I personally asked for this long time ago.
Please do not rely on touch-id although this is comfortable.
Security has never been as comfortable as being insecure.
And touch-id does not withstand being forced to press the button with your or your faked finger which could be ordered by executive forces nearby everywhere without a judge, whereas a password to be keyed in withstands most countries code of conduct (without some even in the US) at e. g. border gateway control. Removed certificate with simplicity withstands all such orders and attempts, since you cannot give, what you don’t have any more or even never had. Who knows…
Programming efforts should not be so much higher at least, even if you offer unlocking the certificate with touch-id when on secure ground (and certificate is present).
Even US own security advisors (NIST) force US officials to behave this way (NIST SP 800-xxx) by law when carrying confidential material for whatsoever reasons in whatsoever countries (including th US itself. Believe me, they know the reasons why strong cryptography shall be used at any times).
Let’s have a look at Data Protection Laws (Germany / EU (BDSG, DSGVO, GDPR)): they require the respective data to be protected with strong measures and do not allow to rely on weak measures (which the IOS protection is from that point of view, since it is vulnerable to tampering with the press of a finger or by simply get no or a weak PIN as “security measure” - who knows?).
Physicians (with patients data) or tax advisors, lawyers, pastor (with their clients data) or pharmacists (with prescription data) for example who carry such sensitive personal data within such easy to weaken devices were exposed to at least StGB §203 in Germany even yet.
CEOs and such: §43 GmbHG, §130 OWiG (Germany) and so forth.
Most of them actually not even think one single thought about that (and if, they tend to close their eyes), but from May 25, 2018 on in the whole EU there will be more though and rigid sanctions to the data controller (“the/your company/YOU”) including (“must be applied” instead of “can be applied”) fines of 20.000.000€ or 4% of the worldwide yearly (!) turnover of their respective companies whichever is higher even if a data processor (“the contractor”) failed to met the regulations.
Giving the mobile application an appropriate strength now, could, as you see, be a marketing argument as well, preventing your customers from traveling with emptied devices as much companies order their employees already, when they have to travel to countries with privacy or humans rights in question.
Just my 2ct.
Dietmar