Recent versions of Macbooks include the touch bar, which has TouchID + Secure Enclave. It would be nice if aws-vault supported using biometrics through TouchID, instead of passwords when accessing the keychain.

I believe this would depend on support within keybase/go-keychain first.

Aug 04 '18 09:08 ejholmes

+1

Aug 04 '18 10:08 FernandoMiguel

Kind of like https://github.com/99designs/aws-vault/pull/131 and https://github.com/lox/go-touchid?

Aug 06 '18 00:08 lox

The go-keychain folks weren't keen on it https://github.com/keybase/go-keychain/issues/11

Aug 06 '18 00:08 lox

I actually had #131 in a usable state for quite some time, wouldn't be hard to resurrect, would love some feedback on it.

Aug 06 '18 01:08 lox

That seems pretty close to what I'd want for this. This is my own lack of experience with OSX/iOS API's, but it seems like the implementation in https://github.com/99designs/aws-vault/pull/131 doesn't actually tie access to the keychain item to biometrics; the biometrics check is done in Go, rather than setting the access control settings on the keychain item. Would it be better to do something like what's mentioned in https://developer.apple.com/documentation/localauthentication/accessing_keychain_items_with_face_id_or_touch_id?language=objc, so that biometrics are checked by the keychain API's?

Aug 06 '18 07:08 ejholmes

Neat, I dimmly recall that I couldn't make that work when I tried a year or so ago, but agree that is a much better way to do it if viable. Will give it a go.

Aug 06 '18 22:08 lox

I had a go at it. The issue is that go-keychain is using the old Access API's, and the TouchID stuff lives in the new AccessControl API's. I think it's beyond my Objective-C abilities to reconcile the two in a way that can be upstreamed. If someone with some Objective-C skills wanted to advise, I'll help with the golang side of things.

Aug 07 '18 22:08 lox

Farther than I got! Thanks for trying.

Aug 09 '18 05:08 ejholmes

Any interest in reviving this? I'd be willing to help with obj-c/cpp side of things.

Oct 12 '18 13:10 eni9889

@eni9889 Check out https://github.com/lox/go-touchid and see if you can make any headway on that side. The golang side we got.

Jan 23 '19 00:01 StevenACoffman

I would LOVE help on this, if someone with obj-c skills wanted to help I'd be super responsive on getting it merged.

Jan 23 '19 01:01 lox

+1

Jul 15 '19 15:07 rafilkmp3

+1's won't help, need someone with some objective-c skills I'm afraid.

Jul 15 '19 22:07 lox

What needs help on go-touchid? I know you said Obj-C skills, but ... more details would be useful. It's been a while since I last touched Obj-C, but I'm curious at least. I poked around on the project briefly but I didn't see any issues filed describing where the hangups are.

Dec 16 '19 05:12 geoffreywiseman

@lox I'm interesting in getting this in aws-okta and I might have an Objective C buddy we can lean on. Can we see the code you wrote as far as you got?

Also, I opened this https://github.com/keybase/go-keychain/issues/61

Jan 09 '20 18:01 nickatsegment

Hello, the code found here may be useful: https://github.com/infinum/Locker

Features

Save data in Keychain.

Fetch data from Keychain with Biometric ID.

Delete data from Keychain.

Jan 13 '20 15:01 jdolitsky

i'm curious to know if there was any progress on this, so we can unlock the keychain with touchid instead password

Jun 05 '20 10:06 FernandoMiguel

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Dec 04 '20 21:12 stale[bot]

Not stale

Dec 05 '20 02:12 moltar

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Jun 03 '21 20:06 stale[bot]

I'm still very interested in seeing this happen.

Jun 03 '21 21:06 edsrzf

Would be nice this +1

Jul 05 '21 14:07 rafilkmp3

+1 Tired of entering password every time.

Jul 14 '21 09:07 issei-m

No +1s please. PRs welcome

Jul 15 '21 01:07 mtibben

Seems what's challenging is that:

aws-vault depends on github.com/99designs/keyring to access the OS keyring in an OS-independent way
github.com/99designs/keyring depends on github.com/99designs/go-keychain to access the Mac OS keychain
github.com/99designs/go-keychain is itself a fork of github.com/keybase/go-keychain
the Keybase folks have an issue open (https://github.com/keybase/go-keychain/issues/61), but in the past also considered it and implemented it as a separate package (go-touchid) which isn't applicable to what we want to achieve here

So it seems there are two options:

Implement this feature in github.com/99designs/go-keychain, but have it diverge from upstream
Talk with Keybase folks and implement this feature in github.com/keybase/go-keychain

In any case, it does require some Go/Objective-C bindings (probably in keychain.go) to allow specifying a non-default LAContext, through the kSecUseAuthenticationContext when calling SecAddItem

Feb 21 '22 13:02 christophetd

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Sep 21 '22 03:09 stale[bot]

Not stale

Sep 21 '22 08:09 christophetd

Not stale. Hoping for this feature to be implemented.

Feb 01 '23 08:02 danielnbalasoiu

Not stale

Feb 26 '23 04:02 kennethwkz-mm

Would also want this feature to be available!

Mar 16 '23 16:03 Sophie1142

aws-vault
aws-vault copied to clipboard

Support TouchID

Would also want this feature to be available!

aws-vault aws-vault copied to clipboard

Support TouchID

Would also want this feature to be available!

aws-vault
aws-vault copied to clipboard