Skip to content
This repository has been archived by the owner on Dec 15, 2022. It is now read-only.

Enable MacOS Passcode/TouchID Access Control Flags #405

Open
traviscollins opened this issue Jul 30, 2021 · 2 comments
Open

Enable MacOS Passcode/TouchID Access Control Flags #405

traviscollins opened this issue Jul 30, 2021 · 2 comments

Comments

@traviscollins
Copy link

Summary

Enable by default or optionally in MacOS the access control flags that require authentication with a passcode or touchid to access keys created by this library.

Motivation

MacOS and iOS users are trained to the idea that password access requires unlocking the keychain via a passcode or touchid. It seems very odd to be able to instantly access passwords without this behavior in MacOS. This library currently provides no interface to enable these access control features.

Enabling this feature also ensures that other applications can not access the secrets, at least without the user consenting to them doing so.

Describe alternatives you've considered

This same effect can be simulated using a separately library only for touchid validation before accessing the keychain, but that's window dressing compared to actually requiring authentication to access the secrets in the macOS keychain.

Additional context

I believe this is the method that sets the access control flags for newly created keychain items.

https://developer.apple.com/documentation/security/1394452-secaccesscontrolcreatewithflags

I have tested this by manually changing the access control options in the keychain, and the getPassword(...) feature in this library works well with the various options enabled.

@craxal
Copy link

craxal commented Jan 19, 2022

@traviscollins Is this issue about allowing the option to use TouchID to authorize Keychain access? Normally you have to enter your password to do that, and that can get tedious.

@traviscollins
Copy link
Author

traviscollins commented Jan 19, 2022

MacOS has the SecAccessControlCreateFlags type that allows you to define simple or complex combinations of authentication to access passwords in the keychain. This library should allow the developer to at least set the "require password or touch id" configuration. That would allow apps that use this package to present macos users with a familiar and more secure experience.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants