Unlock login keychain otherthan passwords

Question

Created Jan ’25

Replies 3

Boosts 0

Participants 2

Is there a way to unlock login keychain without using password and with any other authentication factor supported by 3rd party MFA options?

Answered by DTS Engineer in 821088022

Is there a way to unlock login keychain without using password … ?

No.

Well, yes and no.

As a user you can configure your account to unlock the login keychain with a smart card. However, you’re looking for an API to do this, and the only API for this is SecKeychainUnlock, which takes a password. Likewise for the unlock-keychain subcommand of the security tool.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’25

Recommended

Is there a way to unlock login keychain without using password … ?

No.

Well, yes and no.

As a user you can configure your account to unlock the login keychain with a smart card. However, you’re looking for an API to do this, and the only API for this is SecKeychainUnlock, which takes a password. Likewise for the unlock-keychain subcommand of the security tool.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

TataChaitanya OP

Jan ’25

It means that we have to pair the user with smartcard and macOS will takecare of unlocking the logon keychain with smartcard. However there are no public APIs to unlock the logon keychain with a smartcard. Is my understanding correct?

0

Answer 3

DTS Engineer OP

Apple

Jan ’25

There are certainly no smart card specific APIs for unlocking the keychain.

Have you tried passing the PIN to SecKeychainUnlock? I don’t think that’ll work, but it’s an easy enough test for you to run.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0