I want a command to force password input after sleep or manual lock with ControlCommandQ in High Sierra, as opposed to allowing TouchID alone to unlock the laptop.
How?
Use case:
- You can be forced to supply your biometrics, but you can't be forced to supply your knowledge of a password, until mind-reading is a thing. Hence; when traveling, knowing that other people want to read/copy data contained on travelers' laptops, I want to secure my laptop by forcing authentication with username+password, as opposed to username+fingerprint.
Like for iOS 11 but for macOS.
Goal:
- Disable TouchID every time I want to force a password-based unlock, until the next time the laptop has been successfully unlocked.
Facts:
- I can lock the laptop and sign in with password if I click the avatar
- I can lock the laptop and unlock it with my fingerprint if I touch the Touch Id sensor.
- I have no way to force password on sign-in. That is what this question is about.
Discourse:
There are two concepts in play here. What principal is trying to log in and what credentials versus identification that principal supplies. The principal in the above use-case is always myself, but TouchId does away with the secret part of the credential, and makes it so that authentication is successful by merely supplying a username—the fingerprint. In the triad, "something you have, something you know, something you are", it has replaced the "something you know" with "something you are". In the above threat-model, it has lessened security, because "what you are" is never possible for you to withhold.
Furthermore; because fingerprints are available on your phone, on the surface of your laptop, on your wallet, etc, I don't even "have to be", for the laptop to open, because they can be stolen or faked.
They are a fairly strongly identifying (one to two in a hundred people could share the same hash of the fingerprint); but they are not strongly authenticating. I want strong authentication using a secret ("what I know"), to be possible. That is what I'm asking for.
I hope this removes any doubts about what this question is asking.
Notes:
You can't input commands after your computer is locked.
Sure I can; normally cabled ethernet is trusted: https://github.com/lgandx/Responder https://room362.com/post/2016/snagging-creds-from-locked-machines/ or a while back, now fixed: https://support.apple.com/en-us/HT207423
…if you could it would lessen security…
Not if the command can only strengthen security.
Besides, this is not what I'm asking about, I'm after a command for "strong lock machine", to enforce password-based authentication after sleep/lock/hibernate.
This is a duplicate post
No, it's not.
Typing is less secure since it can be observed and replicated
That is true for other threat modelling scenarios than I have as my use case. However, enabling 2FA (e.g. TouchId + password) for the laptop is a valid solution to this question, if it's possible.
Best Answer