I'm the developer of a Mac app that uses an authorization plugin to perform 2FA (password and approve in mobile app). There are four authorization use cases which we handle by updating the corresponding entries in the authorization database. The plugin is installed in the authorization database as follows:
system.login.console -> login
Replace: loginwindow:login
With: TrusonaAuthorizationPlugin:trusonaLogin
authenticate -> privilege escalation
Replace: builtin:authenticate
With: TrusonaAuthorizationPlugin:trusonaLogin
system.login.screensaver -> lock screen
Replace: use-login-window-ui
With: authenticate-session-owner-or-admin
system.login.fus -> fast user switching
Replace: loginwindow:login
With: TrusonaAuthorizationPlugin:trusonaLogin
Im macOS Sonoma 14.0 attempting to unlock the screen invokes the Privilege Escalation mechanism regardless of whether the "system.login.screensaver" record in the authorization database points to our authorization plugin or not.
When our authorization plugin is enabled for Lock Screen, clicking on the Lock Screen item in the Apple Menu invokes our authorization plugin for 2FA saying you need to authenticate to unlock the screen even though the desktop is not hidden.
Filed as FB13238136