Allow explicit Touch ID prompts #14492
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Jul 14, 2022
codingllama
force-pushed
the
codingllama/touchid-guard
branch
from
e26cf95 to
def5b95
Compare
espadolini
reviewed
Jul 15, 2022
codingllama
force-pushed
the
codingllama/touchid-guard
branch
from
def5b95 to
0f0e7d2
Compare
|
Thanks for the quick review, @espadolini. PTAL? |
espadolini
approved these changes
Jul 15, 2022
|
Friendly ping @capnspacehook ? |
|
Friendy ping @capnspacehook ? |
codingllama
force-pushed
the
codingllama/touchid-guard
branch
from
0f0e7d2 to
7ab54c5
Compare
capnspacehook
approved these changes
Jul 18, 2022
codingllama
force-pushed
the
codingllama/touchid-guard
branch
4 times, most recently
from
f28fde8 to
bee523a
Compare
codingllama
force-pushed
the
codingllama/touchid-guard
branch
from
bee523a to
055aea4
Compare
codingllama
added a commit
that referenced
this pull request
Jul 19, 2022
Allow explicit Touch ID prompts to be triggered via Go code, which will be used to guard the (upcoming) credential picker prompt. To avoid double-prompting users during Touch ID authentication we have to set a grace period in the underlying LAContext and share it between the functions. Note that AuthContextGuard (native) uses the LAContext explicitly, whereas Authenticate (native) uses it through the SecItemCopyMatching query dictionary. No UX visible changes are made in the PR, despite the fact that prompting occurs a bit earlier. #13901 * Allow explicit Touch ID prompts
codingllama
added a commit
that referenced
this pull request
Jul 19, 2022
Implement the Touch ID credential picker. During passwordless authentication, when more than one login is present in Enclave credentials, `tsh` now asks the end user to pick their desired login. Credential picker terminal prompts are preceded by a system Touch ID prompt, which is then reused for authentication, provided less than 10 seconds pass in the meantime. I've done a couple of refactors to make the `CredentialInfo` structs similar between the `webauthncli` and `touchid` packages, so it's easier to trace parallels between them. To avoid double-prompting users during Touch ID authentication we have to set a grace period in the underlying LAContext and share it between the functions. Note that AuthContextGuard (native) uses the LAContext explicitly, whereas Authenticate (native) uses it through the SecItemCopyMatching query dictionary. #14493: * Refactor touchid.CredentialInfo * Refactor wancli.CredentialInfo * Move fido2_prompt*.go to prompt*.go * Define the touchid credential picker API * Add Touch ID credential picker tests * Implement touchid credential picker #13901: * Allow explicit Touch ID prompts Backports #14492 and #14493. Closes #13901.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow explicit Touch ID prompts to be triggered via Go code, which will be used to guard the (upcoming) credential picker prompt.
To avoid double-prompting users during Touch ID authentication we have to set a grace period in the underlying LAContext and share it between the functions. Note that AuthContextGuard (native) uses the LAContext explicitly, whereas Authenticate (native) uses it through the SecItemCopyMatching query dictionary.
No UX visible changes are made in the PR, despite the fact that prompting occurs a bit earlier.
#13901