Best practice is to rely on the operating system having already done that for you, and to avoid presenting your own UI for login.

iOS already has a built-in authentication mechanism, used for controlling the screen lock and protecting files and keychain storage. The user can set (or their IT department can mandate) a passcode of any complexity: iOS will manage presenting that UI, granting access on successful entry of the passcode and keeping attackers out by limiting the rate and number of guesses at the passcode. This process uses PBKDF2 to generate decryption keys used to access confidential storage, so without the passcode this storage is complete unavailable throughout iOS and to offline attacks. Unless your system replicates all of this, you’ve gone to less effort to provide a worse implementation. If you do replicate all of that, then you’ve gone to a lot of effort to provide a potentially buggy version of something that was available to you already.

But it’s worse than that: we also need to consider the user experience of presenting multiple login demands. Your app isn’t being used in vacuo: your customers have all sorts of other apps on their devices including email and messaging applications. If they are concerned about the confidentiality of any of that information, they can configure the iOS password to protect all of it – and your app’s password prompt becomes superfluous and annoying. Conversely, if they aren’t concerned about confidentiality then they won’t set a passcode, and your app’s password prompt becomes unexpected, superfluous and annoying.