[v10] Implement the Touch ID credential picker #14643
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow explicit Touch ID prompts to be triggered via Go code, which will be used to guard the (upcoming) credential picker prompt. To avoid double-prompting users during Touch ID authentication we have to set a grace period in the underlying LAContext and share it between the functions. Note that AuthContextGuard (native) uses the LAContext explicitly, whereas Authenticate (native) uses it through the SecItemCopyMatching query dictionary. No UX visible changes are made in the PR, despite the fact that prompting occurs a bit earlier. #13901 * Allow explicit Touch ID prompts
Implement the Touch ID credential picker. During passwordless authentication, when more than one login is present in Enclave credentials, `tsh` now asks the end user to pick their desired login. Credential picker terminal prompts are preceded by a system Touch ID prompt, which is then reused for authentication, provided less than 10 seconds pass in the meantime. I've done a couple of refactors to make the `CredentialInfo` structs similar between the `webauthncli` and `touchid` packages, so it's easier to trace parallels between them. #13901 * Refactor touchid.CredentialInfo * Refactor wancli.CredentialInfo * Move fido2_prompt*.go to prompt*.go * Define the touchid credential picker API * Add Touch ID credential picker tests * Implement touchid credential picker
codingllama
changed the title
espadolini
approved these changes
Jul 19, 2022
github-actions
bot
added
the
tsh
zmb3
approved these changes
Jul 19, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement the Touch ID credential picker.
During passwordless authentication, when more than one login is present in
Enclave credentials,
tshnow asks the end user to pick their desired login.Credential picker terminal prompts are preceded by a system Touch ID prompt,
which is then reused for authentication, provided less than 10 seconds pass in
the meantime.
I've done a couple of refactors to make the
CredentialInfostructs similarbetween the
webauthncliandtouchidpackages, so it's easier to traceparallels between them.
To avoid double-prompting users during Touch ID authentication we have to set a
grace period in the underlying LAContext and share it between the functions.
Note that AuthContextGuard (native) uses the LAContext explicitly, whereas
Authenticate (native) uses it through the SecItemCopyMatching query dictionary.
#14493:
#13901:
Backports #14492 and #14493.
Closes #13901.