I have a late 2014 Mac Mini running macOS Sierra 10.12.5. When I paired it with my Bluetooth keyboard, I was not prompted to enter a sequence of numbers.
How does macOS validate and secure connections between Bluetooth keyboards without prompting for a code? Does it just use trust-on-first use? Is it possible to force macOS to use a pairing code?
Best Answer
TL;DR answers to questions
It's not just macOS - your keyboard is connected and encrypted at the firmware level - if it wasn't you wouldn't be able to perform an NVRAM reset before the OS loads.
However, you don't need a code because modern Bluetooth keyboards use an authentication algorithm to pair and a generated authentication key based on public keys to secure the data transmissions.
No. It verifies its identity using an algorithm and 128-bit generated keys.
Why? This would be going back to pre-2009 pairing methodologies. This would be the equivalent of enabling WEP shared keys on modern WiFi networks.
Bluetooth Pairing
The process you described for pairing a Bluetooth device (a keyboard in your example) uses an old (Bluetooth 2.1) method of authentication called Simple Secure Pairing (SSP).
Basically, SSP has 4 association (pairing) models:
The most important thing to note is that SSP is NOT the encryption key; it's merely the pairing mechanism to identify each other. Encryption is handled through a public key. The code you enter is to make sure that's the device you want to connect to; it's not the security.
Since Bluetooth 3.0 (April 2009), Bluetooth devices uses an AMP key for authentication which automates the above process.
Encryption
There are 4 modes of encryption
Bluetooth keyboards using Bluetooth 2.1 (keyboards from 2009 and beyond) and up encrypt all their traffic.
SOURCE: SP 800-121 Rev. 2, Guide to Bluetooth Security (May 2017)