User Profile

I'm developing an authorization plugin to provide 2 Factor Authentication (2FA) for macOS. When FileVault is enabled, macOS Recovery prompts the user for a password to unlock FileVault FDE (Full Disk Encryption) before macOS can startup. The FDE password entered during Recovery is saved somehow so that after macOS starts up it can be used to log the user in without prompting them to re-enter their password. This feature is configurable with setting 'DisableFDEAutoLogin'. We would like our authorization plugin to implement the same behavior. The first place I thought to look for the FDE password (from within our authorization mechanism) is in Context value kAuthorizationEnvironmentPassword but it's not there. Is it possible for an authorization plugin to obtain this password the same as the standard login mechanism and if so how?

I'm the developer of a Mac app that uses an authorization plugin to perform 2FA (password and approve in mobile app). There are four authorization use cases which we handle by updating the corresponding entries in the authorization database. The plugin is installed in the authorization database as follows: system.login.console -> login Replace: loginwindow:login With: TrusonaAuthorizationPlugin:trusonaLogin authenticate -> privilege escalation Replace: builtin:authenticate With: TrusonaAuthorizationPlugin:trusonaLogin system.login.screensaver -> lock screen Replace: use-login-window-ui With: authenticate-session-owner-or-admin system.login.fus -> fast user switching Replace: loginwindow:login With: TrusonaAuthorizationPlugin:trusonaLogin Im macOS Sonoma 14.0 attempting to unlock the screen invokes the Privilege Escalation mechanism regardless of whether the "system.login.screensaver" record in the authorization database points to our authorization plugin or not. When our authorization plugin is enabled for Lock Screen, clicking on the Lock Screen item in the Apple Menu invokes our authorization plugin for 2FA saying you need to authenticate to unlock the screen even though the desktop is not hidden. Filed as FB13238136

The user interface for Fast User Switching on macOS Ventura appears to have changed and our authorization plugin is not being invoked. Previously FUS (system.login.fus in auth.db) would show our authorization plugin dialog with a “Switch User” button in the surrounding SFAuthorizationPluginView. In Ventura it first shows the login screen with the row of user avatars and then an animation appears as if the corresponding user from the FUS menu has been selected with a password input field. It looks like a normal login but it doesn’t invoke our authorization plugin like logging out and logging back in does. The other use cases for our authorization plugin continue to work as expected in macOS Ventura: system.login.console system.login.screensaver authenticate Is there a work around we can use? I submitted feedback using Apple's Feedback Assistant (FB11705643) a week ago but have yet to receive any response. I believe this is a security issue Apple may want to fix in a software update.

We are seeing a difference in WebAuthn behavior between Safari desktop and mobile in iOS 15.5. If a user logs out of our site but keeps the session alive by having Safari remain open, upon logging in they are unable to re-authenticate using WebAuthn in iOS 15.5 The error we're seeing is: "User gesture is not detected. To use the WebAuthn API, call 'navigator.credentials.create' or 'navigator.credentials.get' within user activated events." Observations: This works in Safari desktop. It worked in Safari iOS prior to iOS 15.5 Reloading the page in iOS 15.5 allows it to work normally. Something about the JavaScript environment seems to prevent WebAuthn re-authentication without reloading the page. Why is the behavior different between desktop, iOS 15.5, and previous versions of iOS? Any insight or suggested work-around would be appreciated. What are we missing?