Enable MacOS Passcode/TouchID Access Control Flags
traviscollins opened this issue · 2 comments
Summary
Enable by default or optionally in MacOS the access control flags that require authentication with a passcode or touchid to access keys created by this library.
Motivation
MacOS and iOS users are trained to the idea that password access requires unlocking the keychain via a passcode or touchid. It seems very odd to be able to instantly access passwords without this behavior in MacOS. This library currently provides no interface to enable these access control features.
Enabling this feature also ensures that other applications can not access the secrets, at least without the user consenting to them doing so.
Describe alternatives you've considered
This same effect can be simulated using a separately library only for touchid validation before accessing the keychain, but that's window dressing compared to actually requiring authentication to access the secrets in the macOS keychain.
Additional context
I believe this is the method that sets the access control flags for newly created keychain items.
https://developer.apple.com/documentation/security/1394452-secaccesscontrolcreatewithflags
I have tested this by manually changing the access control options in the keychain, and the getPassword(...) feature in this library works well with the various options enabled.
@traviscollins Is this issue about allowing the option to use TouchID to authorize Keychain access? Normally you have to enter your password to do that, and that can get tedious.
MacOS has the SecAccessControlCreateFlags type that allows you to define simple or complex combinations of authentication to access passwords in the keychain. This library should allow the developer to at least set the "require password or touch id" configuration. That would allow apps that use this package to present macos users with a familiar and more secure experience.