Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support TouchID #273

Open
ejholmes opened this issue Aug 4, 2018 · 43 comments
Open

Support TouchID #273

ejholmes opened this issue Aug 4, 2018 · 43 comments
Labels

Comments

@ejholmes
Copy link

ejholmes commented Aug 4, 2018

Recent versions of Macbooks include the touch bar, which has TouchID + Secure Enclave. It would be nice if aws-vault supported using biometrics through TouchID, instead of passwords when accessing the keychain.

I believe this would depend on support within keybase/go-keychain first.

@FernandoMiguel
Copy link
Collaborator

+1

@lox
Copy link
Collaborator

lox commented Aug 6, 2018

Kind of like #131 and https://github.com/lox/go-touchid?

@lox
Copy link
Collaborator

lox commented Aug 6, 2018

The go-keychain folks weren't keen on it keybase/go-keychain#11

@lox
Copy link
Collaborator

lox commented Aug 6, 2018

I actually had #131 in a usable state for quite some time, wouldn't be hard to resurrect, would love some feedback on it.

@ejholmes
Copy link
Author

ejholmes commented Aug 6, 2018

That seems pretty close to what I'd want for this. This is my own lack of experience with OSX/iOS API's, but it seems like the implementation in #131 doesn't actually tie access to the keychain item to biometrics; the biometrics check is done in Go, rather than setting the access control settings on the keychain item. Would it be better to do something like what's mentioned in https://developer.apple.com/documentation/localauthentication/accessing_keychain_items_with_face_id_or_touch_id?language=objc, so that biometrics are checked by the keychain API's?

@lox
Copy link
Collaborator

lox commented Aug 6, 2018

Neat, I dimmly recall that I couldn't make that work when I tried a year or so ago, but agree that is a much better way to do it if viable. Will give it a go.

@lox
Copy link
Collaborator

lox commented Aug 7, 2018

I had a go at it. The issue is that go-keychain is using the old Access API's, and the TouchID stuff lives in the new AccessControl API's. I think it's beyond my Objective-C abilities to reconcile the two in a way that can be upstreamed. If someone with some Objective-C skills wanted to advise, I'll help with the golang side of things.

@ejholmes
Copy link
Author

ejholmes commented Aug 9, 2018

Farther than I got! Thanks for trying.

@eni9889
Copy link

eni9889 commented Oct 12, 2018

Any interest in reviving this? I'd be willing to help with obj-c/cpp side of things.

@StevenACoffman
Copy link
Contributor

@eni9889 Check out https://github.com/lox/go-touchid and see if you can make any headway on that side. The golang side we got.

@lox
Copy link
Collaborator

lox commented Jan 23, 2019

I would LOVE help on this, if someone with obj-c skills wanted to help I'd be super responsive on getting it merged.

@rafilkmp3
Copy link

+1

@lox
Copy link
Collaborator

lox commented Jul 15, 2019

+1's won't help, need someone with some objective-c skills I'm afraid.

@geoffreywiseman
Copy link

geoffreywiseman commented Dec 16, 2019

What needs help on go-touchid? I know you said Obj-C skills, but ... more details would be useful. It's been a while since I last touched Obj-C, but I'm curious at least. I poked around on the project briefly but I didn't see any issues filed describing where the hangups are.

@nickatsegment
Copy link

@lox I'm interesting in getting this in aws-okta and I might have an Objective C buddy we can lean on. Can we see the code you wrote as far as you got?

Also, I opened this keybase/go-keychain#61

@jdolitsky
Copy link

Hello, the code found here may be useful: https://github.com/infinum/Locker

Features

  • Save data in Keychain.
  • Fetch data from Keychain with Biometric ID.
  • Delete data from Keychain.

@mtibben mtibben added the feature label May 3, 2020
@FernandoMiguel
Copy link
Collaborator

i'm curious to know if there was any progress on this, so we can unlock the keychain with touchid instead password

@stale
Copy link

stale bot commented Dec 4, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Dec 4, 2020
@moltar
Copy link

moltar commented Dec 5, 2020

Not stale

@stale stale bot removed the stale label Dec 5, 2020
@stale
Copy link

stale bot commented Jun 3, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 3, 2021
@edsrzf
Copy link

edsrzf commented Jun 3, 2021

I'm still very interested in seeing this happen.

@stale stale bot removed the stale label Jun 3, 2021
@rafilkmp3

This comment has been minimized.

@issei-m

This comment has been minimized.

@mtibben
Copy link
Member

mtibben commented Jul 15, 2021

No +1s please. PRs welcome

@christophetd
Copy link
Contributor

Seems what's challenging is that:

  • aws-vault depends on github.com/99designs/keyring to access the OS keyring in an OS-independent way
  • github.com/99designs/keyring depends on github.com/99designs/go-keychain to access the Mac OS keychain
  • github.com/99designs/go-keychain is itself a fork of github.com/keybase/go-keychain
  • the Keybase folks have an issue open (TouchID access control? keybase/go-keychain#61), but in the past also considered it and implemented it as a separate package (go-touchid) which isn't applicable to what we want to achieve here

So it seems there are two options:

  1. Implement this feature in github.com/99designs/go-keychain, but have it diverge from upstream
  2. Talk with Keybase folks and implement this feature in github.com/keybase/go-keychain

In any case, it does require some Go/Objective-C bindings (probably in keychain.go) to allow specifying a non-default LAContext, through the kSecUseAuthenticationContext when calling SecAddItem

@stale
Copy link

stale bot commented Sep 21, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Sep 21, 2022
@christophetd
Copy link
Contributor

Not stale

@danielnbalasoiu
Copy link

Not stale. Hoping for this feature to be implemented.

@stale stale bot removed the stale label Feb 1, 2023
@kennethwkz-mm
Copy link

Not stale

@Sophie1142
Copy link

Would also want this feature to be available!

@alexw23
Copy link

alexw23 commented May 29, 2023

download

In all seriousness, this is the most commented issue (https://github.com/99designs/aws-vault/issues?q=is%3Aissue+is%3Aopen+sort%3Acomments-desc). It's a pity there doesn't appear to be an easy way forward right now.

@rosspatil
Copy link

+1

@pwagland
Copy link

So it seems there are two options:

  1. Implement this feature in github.com/99designs/go-keychain, but have it diverge from upstream
  2. Talk with Keybase folks and implement this feature in github.com/keybase/go-keychain

In any case, it does require some Go/Objective-C bindings (probably in keychain.go) to allow specifying a non-default LAContext, through the kSecUseAuthenticationContext when calling SecAddItem

What would be required to make this work? Is there an accepted way forward? What conditions would a PR need to meet to be accepted?

@alexw23
Copy link

alexw23 commented May 6, 2024

Spent some time today looking into this and have nearly got a working prototype. For the most part read/write to keychain on the go-keychain level.

The main issue is it can't be shipped as a single binary, it needs to be a seperate Mac App (i.e. AWS Vault.app). This is due to the fact that a standalone binary cannot access restricted entitlements, as explained in this article. We require access to com.apple.security.generic-keychain-access.

Need have a think about how this would work being an open source project and whether 99designs would take control of this, or whether it needs to be a fork.

It's also harder to develop as you need to go build/codesign each time you make a change. Otherwise you can't access the keychain.

IMG_8076

But overall good news will provide some further updates/code soon.

@alexw23
Copy link

alexw23 commented May 6, 2024

Update: managed to get a working E2E. It has required a large refactor of 99designs/keyring more than anything. In order to access the keychain using biometrics you can't use the named keychain anymore (i.e. aws-vault.keychain-db).

This comes at a cost of not being able to set a period of time to keep the keychain unlocked. Although it could be done if aws-vault had a background service/daemon however that's another story right now.

Each exec command will prompt touchID but it's super quick, so I don't see the issue personally. Compare this to having to enter a password every 15 mins I'd happily take the re-prompts.

Will get the code up in a week (or so). Ideally as an alpha demo version to gain feedback. You would need an Apple Developer ID to test it locally at the moment.

Here's a quick demo:

AWS-Vault-TouchID-Demo.mov

@alexw23
Copy link

alexw23 commented May 7, 2024

What a week 😅 I've been hoping for Touch ID support for many years now in aws-vault and I honestly thought it this was impossible to do. But now, in just a few days I've got a PR up 🎉

If anyone wants to try it out would love to hear your feedback!

@alexw23
Copy link

alexw23 commented Jul 7, 2024

Have been using this now for over two months without any issues, so much happier not having to enter password a few times a day.

Would be great to hear if others have also been using it and if there's any feedback?

@christophetd
Copy link
Contributor

I'm eager to test it, is there any way to build it locally that doesn't require setting up a full development environment? (and doesn't require pulling unofficial pre-built binaries)

@alexw23
Copy link

alexw23 commented Jul 9, 2024

@christophetd unfortunately not. The package needs to be signed using a Apple Developer licence in order to use the features of the secure enclave.

I tried to reach out to @mtibben and never heard back so it's safe to say this package has been mostly abandoned other than a few minor fixes here and there, so on that note I highly doubt this will ever be merged in.

@luqasz
Copy link

luqasz commented Aug 14, 2024

There is a working pinentry with touchid https://github.com/jorgelbg/pinentry-touchid.

@alexw23
Copy link

alexw23 commented Aug 20, 2024

@luqasz interesting, although doesn't seem like it's an active project. Doesn't use the Secure Enclave either.

@luqasz
Copy link

luqasz commented Aug 20, 2024

Just out of curiosity. What is secure enclave ?

@alexw23
Copy link

alexw23 commented Aug 20, 2024

@luqasz, you can read more about it here and here. Essentially, the Secure Enclave is a dedicated, secure subsystem designed to store sensitive credentials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests