2.12 Audit Touch ID

Information

Apple has integrated Touch ID with macOS and allows fingerprint use for many common operations. All use of Touch ID requires the presence of a password and the use of that password after every reboot, or when more than 48 hours has elapsed since the device was last unlocked. Touch ID is not a password replacement. The use of Touch ID can make the use of passwords more secure for authorized users with physical access to a Mac. Normal day-to-day work operations can eliminate the use of console password entry unless a reboot is required other than on Monday morning. The infrequency of password screen unlock can enable a more complicated pass phrase that is seldom used. When Touch ID is used it remediates the risk of shoulder surfing (including video surveillance) to capture console credentials. There have been many reported shoulder surfing password captures on iOS devices. Reports have not been widespread on Macs, but shoulder surfing password capture is simpler than the other methods of breaking in to an encrypted Mac.

When a SmartCard or YubiKey is provisioned by an organization and is available for Console authentication, that is a much more secure option than the use of Touch ID and is preferred.

Rationale:

Touch ID allows for an account-enrolled fingerprint to access a key that uses a previously provided password.

Impact:

Touch ID is more convenient for use with aggressive screen lock controls.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Graphical Method:
Perform the following steps to set Touch ID to your organization's settings:

Open System Preferences

Select Touch ID

Select the Touch ID settings match your organization's settings

Terminal Method:
For each user, run the following commands to set TouchID to your organization's parameters:
Use this command for TouchID to unlock the system. Use 0 to disable unlock or 1 to enable unlock:

$ /usr/bin/sudo -u <username> /usr/bin/bioutil -w -u <0,1>

Use this command for TouchID to use ApplePay. Use 0 to disable ApplePay or 1 to enable ApplePay:

$ /usr/bin/sudo -u <username> /usr/bin/bioutil -w -a <0,1>

Use this command to set the timeout at the system level:

$ /usr/bin/sudo usr/bin/bioutil -w -s -o <value<=172800>

example:

$ /usr/bin/sudo -u <username> /usr/bin/bioutil -w -u 1

$ /usr/bin/sudo -u <username> /usr/bin/bioutil -w -a 1

$ /usr/bin/sudo usr/bin/bioutil -w -s -o 86400

Note: The -s notates a system configuration and does not need to be ran for each user.

See Also

https://workbench.cisecurity.org/benchmarks/11683