macos touchid - keychain storage details missing ?
Hi,
I have enabled touchid on my mac and wanted to check the details of what is stored in my keychain.
According to https://support.1password.com/touch-id-mac/, I should see a specific key in the login keychain but couldn't find it...
I must be looking at the wrong place :(
I do see an "agilebits" entry that contains that only contains info about my accountKey and serverUrl:
- emailAddress
- serverURL
- accountKey
- accountName
Could the touchid info (i suppose it must contain my master password) be located in a private keychain only accessible within 1password?
I tried to search for the "agilebits" identifier through all my keychains but could only find the default one.
Thanks
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:touch id storage keychain
Comments
-
@bundtkate yes my bad this is what I was mentioning...
0 -
The question still applies.
I am actually in the process of comparing the different password management solutions. It involves a lot of reverse engineering to figure out what library/algorithm are used on the different OS as well as how personal data are stored. The goal is to give the proof of the security model and show why it is safe.
I can only find one key matching agilebits in my keychain, but this key is used to store the obfuscated/encrypted AccountKey.
There must be a second entry in the keychain to contain information about touchid, this is the one I couldn't find. Hence my question, is there another entry in the keychain used to store the master password when we use touch id?
I may also have just missed it... Maybe the key is only available from the context of the application?0 -
@deeeed -- your Secret Key is stored (more or less) permanently; that's how its designed to function on your Mac - it is a locally-stored, second encryption factor that is generated on your device and never leaves it in any form. But the entry in the macOS keychain representing the obfuscated version of your Master Password necessary for Touch ID to work will be added to/removed from the macOS keychain periodically as described in the link @bundtkate sent you previously. I hope that helps, though I would suggest that if you feel "escrowing" your Master Password even in obfuscated form in the encrypted macOS keychain is a security risk, the solution for it is simply not to use Touch ID on your Mac. Because it is your Master Password (and Secret Key), not your fingerprint, that actually derives the AES-256 key which de/encrypts your data, in order for TouchID to be possible (on either iOS OR macOS), this is the only way it can be accomplished: a verified token from the OS that you've successfully authenticated via Touch ID allows access to the obfuscated version of your Master Password, which is used to unlock 1Password on your Mac.
0
