How to Recognize a Genuine Mac Password Request
One of the primary aims of most malware is to trick you into giving it your password. Armed with that, there’s little to stop it gathering up your secrets and sending them off to your attacker’s servers. One of your key defences against that is to know when a password request is genuine, and when it’s bogus. By far the best way to authenticate now is using Touch ID, but many Macs don’t support it, either because they can’t, or because their keyboard doesn’t, and there are still occasions when a genuine request may not offer it. This article looks at the anatomy of a range of genuine password requests. Note that these dialogs aren’t generated by the app, but come from the macOS security system, hence their consistency.
It’s kind of scary that there isn’t really anything about the standard Mac password dialogs that malware couldn’t duplicate. I don’t know why Apple hasn’t figured out a way to modify the rest of the screen in a way that only they could do. But, in practice, the fake dialogs seem to be very sloppily designed, so it’s good to review Oakley’s catalog.
I use a USB keyboard that doesn’t support Touch ID 99% of the time. Even when using my MacBook Pro’s internal keyboard, I tend not to use Touch ID because it rarely works. (It doesn’t work well on my iPad Air, either, though it was very reliable back before iPhones switched to Face ID.)
Update (2025-12-26): Kyle Howells:
I’ve though for the last decade that Apple should have a second light next to the camera light* which lights up during a real macOS auth request.
As it is Apple’s flood of permission requests is security theatre which makes users less secure by training them to expect frequent random prompts for their macOS password and to just accept it without thinking and enter their password.
(*a different color, maybe the other side of the camera, or above the keyboard instead).
I kinda don’t trust Apple to not make it even more confusing. Personally I think there’s a lot that can be learned from UAC’s seeming simplicity, while it has a bunch of anti-forgery features built in. (Don’t need to replicate all the unfixed security flaws surrounding it though lol) OS X actually used to show more info in the admin elevation prompt, like the process name and the intended outcome (run command as root, start privileged helper, custom 3rd-party tasks), not sure why this was removed around the Lion era.
One thing for sure though, making system auth prompts look just like all other alerts is a mistake. Apple keeps doing this for some reason (see also fake Apple ID prompts, before they redesigned this UI around the Face ID double-click)
5 Comments RSS · Twitter · Mastodon
At least conceptually, Microsoft's control-alt-delete security option always appealed to me at some level: a keyboard chord which can't be captured by anything but the system. (That said, I don't live in the Windows world, and maybe it's inherently too problematic — I certainly haven't put any time into thinking about how it might translate to system password prompts.)
My pet peeve about the Mac Touch ID dialog is that the design makes it look like you have to type your password in. It’s only if you read the fine print that you realize you can use Touch ID. Just really poor design for a key hardware feature.
I’ve seen people typing in their password because they don’t realize it’s a fingerprint prompt.
Apple’s security theater has been a gift for malware developers, because it’s trained everyone to just say “yeah yeah yeah” and not carefully read the constant security prompts that pop up.
Apple infamously made fun of UAC years ago in their I'm a PC ads. Microsoft managed to tone down UAC while implementing it in a more secure way.
Apple seems to have wound up duplicating UAC but in a worse way. Even though it is more practically realistic to use limited accounts on a Mac than on Windows.
Maybe we can finally get some good Mac interfaces now that the reign of terror is (hopefully) over.
I used to use the white rechargeable small Magic Keyboard, but I decided to move to a Keychron Alice layout keyboard, and I moved from a laptop to a Studio - so lost the touchid. I solved that by buying a Genuine Apple Magic Keyboard with Touch ID - Blue, A2449 from eBay - about $55. It's mounted under my desk and it's sole job is to provide me with a touchid key. Works reliably for me.
