Support TouchID

[ejholmes]

Recent versions of Macbooks include the touch bar, which has TouchID + Secure Enclave. It would be nice if aws-vault supported using biometrics through TouchID, instead of passwords when accessing the keychain.

I believe this would depend on support within keybase/go-keychain first.

[FernandoMiguel]

+1

[lox]

Kind of like #131 and https://github.com/lox/go-touchid?

[lox]

The go-keychain folks weren't keen on it keybase/go-keychain#11

[lox]

I actually had #131 in a usable state for quite some time, wouldn't be hard to resurrect, would love some feedback on it.

[ejholmes]

That seems pretty close to what I'd want for this. This is my own lack of experience with OSX/iOS API's, but it seems like the implementation in #131 doesn't actually tie access to the keychain item to biometrics; the biometrics check is done in Go, rather than setting the access control settings on the keychain item. Would it be better to do something like what's mentioned in https://developer.apple.com/documentation/localauthentication/accessing_keychain_items_with_face_id_or_touch_id?language=objc, so that biometrics are checked by the keychain API's?

[lox]

Neat, I dimmly recall that I couldn't make that work when I tried a year or so ago, but agree that is a much better way to do it if viable. Will give it a go.

[lox]

I had a go at it. The issue is that go-keychain is using the old Access API's, and the TouchID stuff lives in the new AccessControl API's. I think it's beyond my Objective-C abilities to reconcile the two in a way that can be upstreamed. If someone with some Objective-C skills wanted to advise, I'll help with the golang side of things.

[ejholmes]

Farther than I got! Thanks for trying.

[eni9889]

Any interest in reviving this? I'd be willing to help with obj-c/cpp side of things.

[StevenACoffman]

@eni9889 Check out https://github.com/lox/go-touchid and see if you can make any headway on that side. The golang side we got.

[lox]

I would LOVE help on this, if someone with obj-c skills wanted to help I'd be super responsive on getting it merged.

[rafilkmp3]

+1

[lox]

+1's won't help, need someone with some objective-c skills I'm afraid.

[geoffreywiseman]

What needs help on go-touchid? I know you said Obj-C skills, but ... more details would be useful. It's been a while since I last touched Obj-C, but I'm curious at least. I poked around on the project briefly but I didn't see any issues filed describing where the hangups are.

[nickatsegment]

@lox I'm interesting in getting this in aws-okta and I might have an Objective C buddy we can lean on. Can we see the code you wrote as far as you got?

Also, I opened this keybase/go-keychain#61

[jdolitsky]

Hello, the code found here may be useful: https://github.com/infinum/Locker

Features

• Save data in Keychain.
• Fetch data from Keychain with Biometric ID.
• Delete data from Keychain.

[FernandoMiguel]

i'm curious to know if there was any progress on this, so we can unlock the keychain with touchid instead password

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[moltar]

Not stale

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[edsrzf]

I'm still very interested in seeing this happen.

[mtibben]

No +1s please. PRs welcome

[christophetd]

Seems what's challenging is that:

• aws-vault depends on github.com/99designs/keyring to access the OS keyring in an OS-independent way
• github.com/99designs/keyring depends on github.com/99designs/go-keychain to access the Mac OS keychain
• github.com/99designs/go-keychain is itself a fork of github.com/keybase/go-keychain
• the Keybase folks have an issue open (TouchID access control? keybase/go-keychain#61), but in the past also considered it and implemented it as a separate package (go-touchid) which isn't applicable to what we want to achieve here

So it seems there are two options:

1. Implement this feature in github.com/99designs/go-keychain, but have it diverge from upstream
2. Talk with Keybase folks and implement this feature in github.com/keybase/go-keychain

In any case, it does require some Go/Objective-C bindings (probably in keychain.go) to allow specifying a non-default LAContext, through the kSecUseAuthenticationContext when calling SecAddItem

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[christophetd]

Not stale

[danielnbalasoiu]

Not stale. Hoping for this feature to be implemented.

[kennethwkz-mm]

Not stale

[Sophie1142]

Would also want this feature to be available!

[alexw23]

In all seriousness, this is the most commented issue (https://github.com/99designs/aws-vault/issues?q=is%3Aissue+is%3Aopen+sort%3Acomments-desc). It's a pity there doesn't appear to be an easy way forward right now.

[rosspatil]

+1

[pwagland]

So it seems there are two options:

1. Implement this feature in github.com/99designs/go-keychain, but have it diverge from upstream
2. Talk with Keybase folks and implement this feature in github.com/keybase/go-keychain

In any case, it does require some Go/Objective-C bindings (probably in keychain.go) to allow specifying a non-default LAContext, through the kSecUseAuthenticationContext when calling SecAddItem

What would be required to make this work? Is there an accepted way forward? What conditions would a PR need to meet to be accepted?

[alexw23]

Spent some time today looking into this and have nearly got a working prototype. For the most part read/write to keychain on the go-keychain level.

The main issue is it can't be shipped as a single binary, it needs to be a seperate Mac App (i.e. AWS Vault.app). This is due to the fact that a standalone binary cannot access restricted entitlements, as explained in this article. We require access to com.apple.security.generic-keychain-access.

Need have a think about how this would work being an open source project and whether 99designs would take control of this, or whether it needs to be a fork.

It's also harder to develop as you need to go build/codesign each time you make a change. Otherwise you can't access the keychain.

But overall good news will provide some further updates/code soon.

[alexw23]

Update: managed to get a working E2E. It has required a large refactor of 99designs/keyring more than anything. In order to access the keychain using biometrics you can't use the named keychain anymore (i.e. aws-vault.keychain-db).

This comes at a cost of not being able to set a period of time to keep the keychain unlocked. Although it could be done if aws-vault had a background service/daemon however that's another story right now.

Each exec command will prompt touchID but it's super quick, so I don't see the issue personally. Compare this to having to enter a password every 15 mins I'd happily take the re-prompts.

Will get the code up in a week (or so). Ideally as an alpha demo version to gain feedback. You would need an Apple Developer ID to test it locally at the moment.

Here's a quick demo:

AWS-Vault-TouchID-Demo.mov

[alexw23]

What a week 😅 I've been hoping for Touch ID support for many years now in aws-vault and I honestly thought it this was impossible to do. But now, in just a few days I've got a PR up 🎉

• (Touch ID support on macOS (Data Protection Keychain) #1243)

If anyone wants to try it out would love to hear your feedback!