Hacker News new | ask | show | jobs
by Terr_ 67 days ago
At that point what you need is true multi-factor. For example, both fingerprint and per-device PIN.

Regrettably, that's not often offered as a feature, even when the infrastructure is already there.
1 comments
akdev1l 67 days ago
Notably macOS cannot do this
link
parl_match 67 days ago
Careful with absolutist statements :)

macOS can in fact be configured to use a third party idp, including interactive elements, on loginwindow.

So, you could build your own through the ExtensibleSingleSignOn and Extensible Enterprise SSO macOS plugin API. You would do touchid, and then have it pop your own custom window/app, providing a prompt through that API, except it's just a hardcoded value (or some shit idk)

https://youtu.be/ph37Yd1vV-c

So yes, macOS can in fact do that. Just not out of the box. I strongly believe that it is a glaring omission, or at least something they should gate through lockdown mode. idk!

link
midtake 66 days ago
If you create a piv certificate on a yubikey and just plug it in while logged in, it automatically registers it as a login method.
link
akdev1l 64 days ago
Yeah but then it will only use the certificate on the yubikey and not ask for a password so we’re back to 1FA
link
midtake 61 days ago
It's 2FA because you need the pin for the Yubikey as well.
link