Can you get TouchID to register multiple fingers and script the actions; maybe your middle finger unlocks touchID, but your index finger disables touchID until you enter your password.
The iOS equivalent is to hold the side + volume button until the power slider shows up. Cancel out of it and the next unlock will require your passcode. Pressing the side button 5x triggers Emergency SOS which does the same thing. Been there forever but barely anyone knows about it.
I remember way back in the day, there was some question as to the legality of compelled unlocking of devices; IIRC, it’s been deemed legal to compel a fingerprint, but illegal (under the first amendment?) to compel entry of a password—IIRC, as long as that password hasn’t been written down anywhere.
I gather this is written to that end primarily? Or is there some other goal as well?
I wrote this after the case of a Washington Post reporter, Hannah Natanson, was compelled to unlock her computer with her fingerprint. This resulted in access to her Desktop Signal on her computer, revealing sources and their conversations.
There's also the issue that the device is covered in fingerprints, and if you can build a clean image of the print, you can likely manufacture a gelatin copy of that fingerprint that will work on most fingerprint scanners.
I can't speak to the current generation of Apple fingerprint scanners, but historically iirc you can grab a print, clean it up in Photoshop, print it on OHP transparency using a laser printer and use it like a mould to copy a fingerprint.
This is great. I see many times "security advice" against biometrics replacing password unlock, but most of the time I am more worried about getting recorded by somebody/something while typing a password in the open than anything else. This makes it better for those other cases.
An opportune time to mention the real-world example of when the authorities really wanted to gain full access to a computer but did not want to resort to legal compulsion or "rubber-hose cryptanalysis" -- they simply waited until the target was logged in, staged an altercation in the immediate vicinity, and then snatched the open laptop away from them.
This would be perfect if it could monitor the force with which the lid is closed (macs have accelerometers after all, either this info or an acceptable proxy could be derived?).
Gently close? no action.
Stronger, faster action? Disable touch ID
Slam shut in full panic? yeah disable all biometrics, lose all state, even wipe the ram and the filevault key if it's an option
> in sensitive situations, law enforcement and border agents in many countries can compel a biometric unlock in ways they cannot with a password.
If the threat model includes state-level actors, then disabling biometrics won't prevent data from being retrieved from physical memory. It would probably be wiser to enable disk encryption and have a panic button that powers down/hibernates the computer so that no unencrypted data remains on RAM.
The website says shutdown "takes time" and "kills your session" but a hibernation button would take effect just as fast and would preserve the session.
PSA to iOS users: if you tap the lock button 5x it forces password-only unlocking. Useful at protests or any precarious situations with law enforcement.
How beneficial is this versus just being theater? The example used in this is the government accessing the reporters laptop via biometrics.
But in this case, and especially under this admin legal or not this app won't stop them, unless I'm misunderstanding the macOS security model. Even with FDE enabled, sending it to the lock screen with biometrics disabled will not do anything to stop them from being able to access the contents of the hard drive via forensic methods with relative ease.
I think that at best this will only stop the casual person (i.e. a family member or roommate/random snooper)? In which case there would be no point to switch away from biometrics.
You're far better off just keeping more private information on the iPhone and isolating that data from a Mac, since that has far more resistance to intrusion in AFU mode than a Mac.
I'm surprised Apple doesn't offer an option. On the iPhone you could do this by pressing the power button several times. Not sure if this still works because the iPhone 6 was my last one though.
If this were a concern for me the better choice is shutting down the laptop to encrypt the drive and disable biometrics. This does nothing since the drive is still unencrypted.
It’s easy enough to just configure TouchID so that it doesn’t work to log into your computer. It’s only used for authorization to do certain operations (like ApplePay), once you have logged on with a password.
I do this on all my devices. And I don’t use FaceID for anything at all. Which makes modern iPhones a bit of a pain, but I do it anyway.
There should just be a way to setup an alternate dummy account based on the finger you use. This gives the illusion of compliance but your real data is safe.
What's the timing like between the lid sensor firing and sleep actually kicking in on Apple Silicon? I ship a couple menu bar apps on M2 and listening for NSWorkspaceWillSleepNotification feels like you get maybe 200ms before the system is gone. If disabling TouchID requires a round trip to the secure enclave in that window that seems like it'd be a race.
This makes me wonder how I can do the reverse — I'd like to always use touch ID and never ever be asked for password except when it's technically necessary, e.g. after a reboot. In effect, I'd like to completely remove this time component from biometric authentication.
I think the thing that really surprises me is that Washington Post reporters are using Apple products and not just a Linux distribution. They are professionals. At some point, Apple can be compelled to work against you, but Linux is just a product off the shelf.
I would love to have a mode that I must use my long password to unlock my mac for security purposes. But when unlocked, use touchid as an alternative to my password for convenience.
So just the normal TouchID mode but not for unlocking the mac.
INAL, but if the authorities had captured your device with touchID enabled and legally ask you to use it to login and you do an action that would disable touchID, then that would be "obstruction".
> No command injection — Timeout parameter is a Swift Int, not a string
Please don't use slop machines to write READMEs. If you're launching bioutil as a subprocess, you're passing the timeout as a string. In your code, you read the timeout, convert to int, set timeout to 1, and set it back to the previously retrieved value. There is no difference between keeping it as strings or doing a string->int->string round-trip, assuming no sizing and formatting weirdness.
115 comments
Nice to see something like this on the Mac side.
I remember way back in the day, there was some question as to the legality of compelled unlocking of devices; IIRC, it’s been deemed legal to compel a fingerprint, but illegal (under the first amendment?) to compel entry of a password—IIRC, as long as that password hasn’t been written down anywhere.
I gather this is written to that end primarily? Or is there some other goal as well?
https://www.yahoo.com/news/articles/washington-post-raid-pro...
Edit: I've a lot more details about the legality and precedence on the apps landing page https://paniclock.github.io/
https://paniclock.github.io/
I can't speak to the current generation of Apple fingerprint scanners, but historically iirc you can grab a print, clean it up in Photoshop, print it on OHP transparency using a laser printer and use it like a mould to copy a fingerprint.
The UK, I believe, can compel you to provide passwords that you would be reasonably expected to know.
You can read about the sting, here: "How Did Investigators Catch the Dread Pirate Roberts (DPR) in San Francisco?" https://www.forensicscolleges.com/blog/forensics-casefile/si...
Gently close? no action.
Stronger, faster action? Disable touch ID
Slam shut in full panic? yeah disable all biometrics, lose all state, even wipe the ram and the filevault key if it's an option
I like logging in with my finger print, but I would like an “out” in the same vein as this.
> in sensitive situations, law enforcement and border agents in many countries can compel a biometric unlock in ways they cannot with a password.
If the threat model includes state-level actors, then disabling biometrics won't prevent data from being retrieved from physical memory. It would probably be wiser to enable disk encryption and have a panic button that powers down/hibernates the computer so that no unencrypted data remains on RAM.
The website says shutdown "takes time" and "kills your session" but a hibernation button would take effect just as fast and would preserve the session.
But in this case, and especially under this admin legal or not this app won't stop them, unless I'm misunderstanding the macOS security model. Even with FDE enabled, sending it to the lock screen with biometrics disabled will not do anything to stop them from being able to access the contents of the hard drive via forensic methods with relative ease.
I think that at best this will only stop the casual person (i.e. a family member or roommate/random snooper)? In which case there would be no point to switch away from biometrics.
You're far better off just keeping more private information on the iPhone and isolating that data from a Mac, since that has far more resistance to intrusion in AFU mode than a Mac.
Great work, congrats!
I do this on all my devices. And I don’t use FaceID for anything at all. Which makes modern iPhones a bit of a pain, but I do it anyway.
So just the normal TouchID mode but not for unlocking the mac.
>That’s not just one leak investigation—it’s access to a reporter’s complete source network, enabled by biometric convenience features.
Really nice to see that everything is AI generated now!
> No command injection — Timeout parameter is a Swift Int, not a string
Please don't use slop machines to write READMEs. If you're launching bioutil as a subprocess, you're passing the timeout as a string. In your code, you read the timeout, convert to int, set timeout to 1, and set it back to the previously retrieved value. There is no difference between keeping it as strings or doing a string->int->string round-trip, assuming no sizing and formatting weirdness.
(If you’re about to comment about fingerprints on transparency film and balloons filled with warm water then yes good point)