Testing Confirm Credentials
Make sure that the unlocked key is used during the application flow. For example, the key may be used to decrypt local storage or a message received from a remote endpoint. If the application simply checks whether the user has unlocked the key or not, the application may be vulnerable to a local authentication bypass.
Validate the duration of time (seconds) for which the key is authorized to be used after the user is successfully authenticated. This is only needed if
setUserAuthenticationRequired is used.