Thank you for your reply (You are a legend at Apple!) The linked conversation is using an interesting approach, where a SecureEnclave protected key pair protected with .userPresence could be used to manually encrypt tokens before storing them in the keychain.

Just found that using kSecMatchLimit with kSecMatchLimitAll effectively limits FaceID prompts to a single one. kSecMatchLimitOne in separate calls will produce one faceID prompt per call.