Wednesday, July 27, 2022

Touch ID on a Mac Desktop, Deconstructed

Jason Snell:

I want a mechanical keyboard and Touch ID!


I decided to attach some velcro tape on the keyboard and the bottom of my desk, positioning the keyboard so that the Touch ID sensor was at the very front of the underside of my desk.


I feel bad about using Karabiner to make a keyboard less productive, but that’s what I did: I re-mapped the keyboard’s keys to a useless function, so that mistyped keys will have no effect.

My experience has been that Touch ID is rarely useful on the Mac for anything except logging in, and that I can do with the Use your Apple Watch to unlock apps and your Mac option. Are there cases where you can use Touch ID but not an Apple Watch? Should there be?

I think when I try to Apple Pay it always sends the request to my phone.

Update (2022-07-28): Obviously, lots of people don’t have an Apple Watch, but I believe Snell is an Apple Watch user, and yet he was still motivated to do this to get access to Touch ID.

Update (2022-09-26): Jason Snell:

I’ve now done what I threatened to do at the end of that piece: I’ve broken into the keyboard, removed the important bits, and then reassembled it into a little 3-D printed case that contains just the Touch ID button.

16 Comments RSS · Twitter

I usually turn off Apple Watch login as it will randomly unlock the computer when I'm walking by. I'd rather stick to touch ID since at least it requires intent to happen.

Ghost Quartz

I use Touch ID for login, 1Password, purchases, unlocking System Preference panes, authenticating some operations to Keychain Access, and probably a few other small things that aren’t immediately coming to mind. I think some people have also wired it up to `sudo`.

I don’t know which of these work with an Apple Watch, but my main concern with watch unlock is that I want authentication to be an explicit action, rather than passively based on my hand’s proximity to the computer.

While you're correct that unlocking the Mac from the lock screen works automatically by proximity with the Apple Watch, other options like approving Apple Pay, unlocking 1Password, etc. require a double-click on the side button of the Watch. At least, those are the actions I've noticed. I have TouchId on my Mac, so I only use the Watch for the "walk up and it unlocks right away" feature.

I use it to authenticate to web apps, both for the password manager and the “second factor”. At least 25 times per day.

TouchID on the mac extended keyboard is the other reason I bought it (numpad the first).

I love it. Hands are on the keyboard, 1Password unlocked by moving my fingers slightly, no having to lift both hands, wait for the Apple Watch to show unlock and then double press the side button.

I think part of my lack of enthusiasm for Touch ID on the Mac is that it seems to reject my finger much more often than it did on my iPhones.

I use Touch ID on a Magic Keyboard around 5 times a day when logging into FIDO2 compliant web apps for work. It’s handy and I haven’t had any trouble with it not recognizing my finger.

Soon I will use almost nothing but Touch ID instead of passwords for accessing nodes/k8s clusters/apps/DBs thanks to passwordless Touch ID support in Teleport 10. (disclaimer: I work for Teleport and it’s an open-source product)

I haven't given them their new laptops yet, but I expect that TouchID will be a godsend for my parents to actually use a password manager somewhat properly. I do miss it myself when I am on a keyboard without it.

The major use I have for Touch ID on the Mac is when working with a company-supplied laptop where I either not allowed to associate my personal Apple ID with that laptop, or simply prefer not to do so.

I use Touch ID for everything that Ghost Quartz mentioned (especially 1Password unlocks all the time) and then also to authenticate family sharing downloads/purchases that my kids request from App Store.

It works very reliable and fast on M1 MBA, it was a pleasant surprise how much I would use is (this is my first Mac with Touch ID). And I don't have an Apple Watch.

> I think when I try to Apple Pay it always sends the request to my phone.

If your card is unavailable in the "Wallet & Apple Pay" preferences pane, try enabling "Install system data files and security updates" in the Advanced settings of the "Software Update" preferences pane.

Regarding touchID and sudo, I've kept this one bookmarked for whenever I end up with such a keyboard.

No Apple Watch. Use Touch ID on the Mac dozens of times a day, always instantaneous reading + response. Use for unlock, 1Password, security verifications. Makes me pine for it when using my iPhone or iPad since the hands-on-keyboard shift to active TouchID is so seamless + fast + reliable.

@ Zach: similarly, there's one for the Apple Watch as well. (it will require you to double-click the side button)

Sadly, it seems macOS system updates will overwrite ` /etc/pam.d/sudo`, so you have to remember to set that again.

So far, on my 14-inch MBP, Touch ID has been solid. But it's obviously not a great choice for clamshell mode.

People forget that Macs are also used in Enterprises and work situations where iCloud is limited. On my work laptop I can't use my Apple Watch to unlock anything. Work devices do not mix with personal.

Touch ID is nice enough on the new Air and 2020 Mac Mini with the right external keyboard, but Apple Watch has a T2 minimum requirement for 1Password, whilst Touch ID needs at least Apple Silicon. If I have to choose, the clicky keyboard (Das, in my case) always wins, with Apple Watch. (The fact that Apple Watch is constrained to T2 for password autofill no longer applies now that I have a 2020 iMac, but could easily have, in which case the watch would still have provided unlock capability.)

Leave a Comment