Ooh... this YouTuber uses one of my 3D models and mentions and links it in his video! 
#touchid
0 posts0 participants0 posts today
Cryptomator 1.16.0 for Desktop is out now!
With exciting new features like EventView, Decrypt File Name, and Touch ID support for macOS, managing your encrypted files is now even easier.
Learn more about all updates and improvements in our latest blog post!
My work Mac has a very secure password so I have enjoyed setting it up to use Touch ID for sudo. I have not enjoyed that that configuration gets blown away on every update.
However I have now discovered (2 years late) that instead of /etc/pam.d/sudo you can use sudo_local and have it survive OS updates.
https://www.idownloadblog.com/2023/08/24/touch-id-sudo-command-terminal-tutorial/
iDownloadBlog.com · How to enable Touch ID for Terminal on a Mac to authenticate commands like ‘sudo’
Things that were obvious design mistakes from #Apple:
- #TouchBar (not the technology, but the implementation)
- Removing #MagSafe (people like the convenience of not killing their laptop over tripping cables)
- Re-adding MagSafe (without actually addressing the problem that you need a whole new cable to just deliver power)
- Square alignment of arrow keys (does this even need a comment?)
- Removing the escape key (it's not just nerds)
- #TouchID button that can't visually tell you that it wants your attention (believe it or not, but some people have no effing clue what to do when the TouchID popup pops up)
- The contrast of #DarkMode on #OSX calendars (eternal shit show of trying to read purple text on a slightly darker purple background)
- Everything related to #EmojiPicker (the way it's been buggy for years, the slowness, the non functional fuzzy search, the 3! distinct and horrible ways it works, ...)
- #iMessage as a whole (anyone who is a tiny bit critical can't stand this piece of UX hell)
Enable Touch ID for sudo on macOS 15.4+! Copy and configure:
I'm so mad how little non #Chromium browser options are available out there for general desktop/PC users. I tried Zen out once and it seemed okay, albeit a lil alpha/beta-ish atm (until when, I'm not sure) but it is still an option to look out for - not a fan of how it looks like #Chrome plastered onto #Firefox tho.
Realistically, I'd love some "big" (#FOSS) player(s) to fork and maintain a single brand new Firefox instance of some sort that becomes the new "de facto" Firefox browser, rather than #Mozilla's, but idk if that's gonna happen. Even #KDE's browser is Chromium based which is just... NOT an option for me.
I still find it ridiculous that #Apple gatekeeps #Safari to Macs lol, it's just a browser, what harm is there in opening it up to other systems even if there's some missing features locked to the Apple ecosystem here and there (i.e. #TouchID or #ApplePay integration, etc.). That'll at least add more numbers against #Google's insane dominance.
RE: https://circumstances.run/users/davidgerard/statuses/114078708183574404
GSV Sleeper ServiceDavid Gerard (@davidgerard@circumstances.run)Attached: 1 image
New Mozilla TOS diff. This is what they just removed:
* Does Firefox sell your personal data?
> Nope. Never have, never will. And we protect you from many of the advertisers who do. Firefox products are designed to protect your privacy. That’s a promise.
The purpose of the new TOS appears to be to enable them to do this - such as for their advertising and AI sidelines.
https://github.com/mozilla/bedrock/commit/d459addab846d8144b61939b7f4310eb80c5470e
Passkey/password bug: iOS 18.3.1
Ook in iOS versie 18.3.1 is de eerder door mij gemelde iCloud KeyChain (*) kwetsbaarheid nog niet gerepareerd (eerder schreef ik hierover, Engelstalig: https://infosec.exchange/@ErikvanStraten/113821443334366419).
(*) Tegenwoordig is dat de app genaamd "Wachtwoorden" (of "Passwords").
De kwetsbaarheid bestaat indien:
• De eigenaar een "passcode" (pincode of wachtwoord) gebruikt om de iPhone of iPad te ontgrendelen - en er GÉÉN biometrie is geconfigureerd;
ofwel:
• De gebruiker wel biometrie kan gebruiken om het scherm te ontgrendelen, doch in 'Instellingen' > 'Touch ID en toegangscode' de instelling "Autom. invullen wachtw." is UITgezet.
Zie onderstaande screenshots (Engelstalig in https://infosec.exchange/@ErikvanStraten/113821443334366419). Meer info ziet u door op "Alt" in de plaatjes te drukken.
Probleem: iedereen met toegang tot de ontgrendelde iPhone of iPad kan dan, *zonder* opnieuw lokaal te hoeven authenticeren:
1) Op elke website inloggen waarvan het user-ID en wachtwoord in iCloud Keychain zijn opgeslagen;
2) Met passkeys op enkele specifieke websites inloggen (waaronder https://account.apple.com en https://icloud.com), namelijk als volgt:
a) Open de website;
b) Druk op "Inloggen";
c) Druk op de "x" rechts bovenaan de pop-up die verschijnt (in de onderste schermhelft);
d) Druk kort in het veld waar om het e-mailadres gevraagd wordt;
e) Druk op de knop "gebruik passkey".
Risico: uitlenen van een unlocked iDevice (o.a. aan kinderen) maar ook diefstal nadat de passcode is afgekeken. Of als de dief geen passcode heeft, als deze wacht tot de eerstvolgende iOS/iPadOS kwetsbaarheid bekend wordt waarbij de schermontgrendeling omzeild kan worden.
Als u ze nog niet gezien heeft, bekijk in elk geval de eerste van de volgende twee video's van Joanna Stern (van de Wall Street Journal):
https://youtube.com/watch?v=QUYODQB_2wQ
https://youtube.com/watch?v=tCfb9Wizq9Q
@Cyberbeni : I'd not underestimate the number of users who do not use biometrics.
However, I just managed to reproduce the vulnerability *with* biometrics (Touch ID) enabled. It happens when I go to
Settings" —> "Touch ID & Passcode"
and disable "Password AutoFill" (see the relevant Settings screenshots below).
BTW I've only tested iPads and iPhones with TouchID (as I don't have access to Apple devices equipped with FaceID).
I just reproduced this on an iPhone SE2 with iOS 18.1.1 in Safari, then updated iOS to 18.2.1: it still reproduces.
It also works in Edge, Firefox and Firefox Focus, but (interestingly) not in Chrome (all for iOS of course).
Note: disabling Password Autofill may not be what the typical user does; I ran into it while experimenting with passkeys.
But then again, that setting is DISABLED if the user has not configured biometrics, and it, IIRC, cannot be enabled in that situation.
AAPL Ch. Apple M4チップ搭載のMac mini (2024)でMagic KeyboardのTouch IDを登録する際は、底面の電源ボタンを2回押す必要があるので注意を。
https://applech2.com/archives/20241108-mac-mini-magic-keyboard-with-touch-id-setup.html
AAPL Ch. · Apple M4チップ搭載のMac mini (2024)でMagic KeyboardのTouch IDを登録する際は、底面の電源ボタンを2回押す必要があるので注意を。AppleはApple M4/M4 ProチップやThunderbolt 4/5ポートを搭載した「Mac mini (2024)」の販売を開始しましたが、このMac miniでMagic KeyboardのTouch IDを登録する場合、旧Mac miniと同じく電源ボタンを素早く2回押す必要があります。
Replied in thread
@macrumors Well, yes, it could, but what we all really want to know is will it still have #TouchID and a #HomeButton 
I do not know since when or how, possibly when checked for #iOS update, #TouchID has not been working since last 15 hours.
To add second fingerprint, need to be able to verify with existing one.
To disable "Stolen Device Protection"? Yes, need to be able to verify with existing one.
There is one or other thing, yes, that requires to be able to verify with existing fingerprint.
PIN/password (alone) does not work 
Of course the obvious possibility is that finger pad shape had changed, or busted for the purposes of the phone, and I do not feel or have realized it ...
cleaning the cover (Otter Defender for iPhone SE 2022) on the scanner did not help; let's try sans cover ... yeeahh, that worked. Crap
ummm ... so remove the flexible plastic film over the button(not liking this. AT ALL)
Replied in thread
@jpsachse : or when your account gets pwned and the attacker does a better job proving that they are you than you - after all, *they* have access to your account - while you do not.
ANDROID PASSKEY BLACK HOLE
*Or* when you press a button "Clear data" (at the bottom of https://chrome.google.com/sync) which is accompanied by the text:
« This will clear your Chrome data that has been saved in your Google Account. This might clear some data from your devices. »
For you to subsequently find out that ALL OF YOUR PASSKEYS on (all of) your Android device(s) are IRRETRIEVABLE GONE (I reported this to Google in June 2023 and published it 6 months later in
https://seclists.org/fulldisclosure/2024/Feb/15). It's still unfixed.
WHY NO EXPORT AND NO BACKUP
W.r.t. being able to export and/or backup all private keys belonging to all of your passkeys: that's a big dilemma (depending on your POV).
The main (advertised, not taking into account a possibly desired vendor lock-in) reason is simple: if *you* have direct access to such private keys, *malware* running on your device does too.
The compromise is that they are automatically synced to your cloud account, and from there to other devices (of the same brand, provided they run an OS version that's not too old), including a new device if you brick or lose your old device.
However, if there's serious malware on your device, then, even if the malware authors cannot steal all of your passkeys (that is, their private keys), then you're toast anyway; a RAT such as AnyDesk may fool you into believing that you're logging in to website A while in fact it's B and they steal it's session cookie - and pwn the webaccount.
SYNCING PRIVATE KEYS
BTW it's hardly being discussed, but being able to synchronize secrets between secure hardware enclaves in such a way that *you* are denied access, is quite an achievement (considering that, if you buy a new phone, the only available secrets to the transport system are your definitely weak passcode, and your, potentially weak, cloud password that may be used to encrypt the private keys in transit).
I *know* that it's complicated because I accidentally found out around June 2023 that Android can get confused: passkeys *seem* to sync just fine, but passkeys created on phone 1 do not work on phone 2 and vice versa. Somehow the phones had started using *different* encryption keys used to securily synchronize them (I also mentioned that issue in my reports to Google in the summer of 2023, and I mention it in the FD (seclists.org) message).
I don't know how Apple syncs secrets in iCloud keychain, and neither whether a situation may exist where passkey's private keys sync but are unusable (like may happen when using Android).
APPLE'S OWN PASSKEY MISERY
However, Apple has got their own bunch of problems with passkeys being usable *without* requiring biometrics or a passcode to unlock them from iCloud Keychain, see https://infosec.exchange/@ErikvanStraten/113050312014160350 and follow-up (it gets worse every time I look at it) https://infosec.exchange/@ErikvanStraten/113053761440539290 (more details in earlier toots in that thread).
In short: if you don't use biometrics to unlock your iPhone or iPad (OR you do, but you have -unlikely- disabled a specific configuration setting), then anyone with access to your iDevice in an unlocked condition (*), can sign in to:
https://appleid.apple.com
and/or
https://icloud.com
WITHOUT entering your passcode (or using biometrics).
(*) your child, spouse, someone you don't know (well) who borrows your phone to make a call (because their's battery is dead), NOTABLY including a thief who stole it while you were using it (or saw you type your passcode and can unlock it by themselves: https://youtu.be/QUYODQB_2wQ).
I'm not sure yet, but this may even render Apple's anti-theft system totally moot.
myaccount.google.comAccount settings: Your browser is not supported.
Replied in thread
@webhat : Passwordless actually exists on iPhone or iPad under realistic circumstances - that is, not taking into account unlocking the screen (using a PIN, a password or biometrics).
Consider the situation when some stranger borrows your iPhone to make a phone call, or you let your child play a game on your iPad: in such cases they may be able to log in as you onto various websites. That is, without knowing your screen unlock code (or somehow being able to simulate your biometrics).
On specific websites this even also works when using passkeys (no PIN, password or biometrics is required to use the passkey).
It obviously is a vulnerability. But after I filed a bug report in June 2023, Apple denied that it is. And they've not fixed it either.
BTW this works (on iPhone or iPad) in Safari, Firefox, Edge and Chrome (except that in Chrome, "passkey without local auth", only works if, in condition 
below, only iCloud Keychain is enabled and no other 'optional' password manager - such as KeePassium).
The conditions are:
The password or passkey is stored in iCloud KeyChain;
EITHER: you've NOT configured any biometrics to unlock the screen (meaning that you must use a pincode or a password to unlock the screen - a use case quite common because some people don't like to use, or don't trust, biometrics),
OR: (not common, I found it during testing) 'Settings' > 'Touch ID and Passcode': 'Password Autofill' is OFF;
In 'Settings' > 'Passwords' > 'Password Options' (all quite common):
• 'Autofill Passwords and Passkeys' is ON;
• ' iCloud Keychain' is ON;
• Optionally another password manager is enabled (in my iPhone 'KeePassium' is ON).
Passkeys only: (this is irrelevant for passwords, and applies only to iOS and iPadOS versions that support passkeys): the website you (or the borrower of your iDevice) want to sign in to (using your account) must support "WebAuthn Conditional UI" [1] AND it must specify:
'User Verification': 'Preferred'
(the latter value, stupidly, is the WebAuthn default; the other options are 'Discouraged' and 'Required').
[1] https://github.com/w3c/webauthn/wiki/Explainer:-WebAuthn-Conditional-UI
In short, "WebAuthn Conditional UI" means that the website ALSO accepts a passkey in case you activate (tap in and see a blinking cursor) the user-ID input field (instead of tapping a button labeled e.g. "Sign in using passkey"). Doing that will invoke iCloud KeyChain and lets you select the right passkey.
Two examples (there are more) of such websites (for free testing purposes) are:
• https://passkeys-demo.appspot.com
• https://webauthn.io
AND, NOTABLY, Apple's production SSO site: https:⧸⧸idmsa.apple.com
Note that your browser is redirected to the idmsa site (in order to SSO to Apple) when you open the bugreport that I filed in June 2023:
• https://security.apple.com/signin?path=reports/OE19476493072
Here's the recipe for passwords:
Ensure that conditions , and mentioned above are met;
Open a website where you have an account with it's credentials saved in iCkoud Keychain. Invoke the log in screen and tap into the user-ID field;
Tap the proposed account name. Now iCloud Keychain autofills your user-ID and passwords into the right fields.
And the recipe for passkeys:
Ensure that conditions , , and mentioned above are met;
Open https://security.apple.com/signin?path=reports/OE19476493072
A box pops up from the bottom of the screen. Tap the X at the top-right to close it.
Tap in the input field "Email or Phone Number", then tap your iCloud ID at the bottom of your screen. Now you will be logged in to Apple without using local auth.
Note that you'll probably see a "403 access denied" error, because (although you HAVE logged in) you are not *authorized* to view te bug report.
This is passwordless 1FA because the possession of the (unlocked) device suffices.
GitHubExplainer: WebAuthn Conditional UIWeb Authentication: An API for accessing Public Key Credentials - w3c/webauthn
iPad mit Touch ID: ohne klicken durch Auflegen des Fingers zum Home-Bildschirm
Ein iPad mit Touch ID als Home-Button oder integriert in die Seitentaste, lässt sich durch Auflegen des Fingers direkt öffnen. Die Funktion «Zum Öffnen Finger auflegen» ist leider in den Bedienungshilfen versteckt und nicht standardmässig aktiv. Einstellungen → Bedienungshilfen →…
Artikel lesen: https://www.iphone-blog.ch/2024/07/16/ipad-mit-touch-id-ohne-klicken-durch-auflegen-des-fingers-zum-home-bildschirm/
Praktisch für die Ferien: iOS 18 erlaubt das Ausblenden von Apps
Urlaub, Ferien, Abwesenheit, abschalten, entspannen. Um gezielt von Benachrichtigungen Abstand zu nehmen, kann man sich den „Nicht stören“-Fokus aktivieren. Oder man blendet einzelne Apps aus. So kann ich in den Ferien mich von Slack, Teams oder Outlook trennen und werde bei eintreffenden Na…
Artikel lesen: https://www.iphone-blog.ch/2024/07/12/praktisch-fuer-die-ferien-ios-18-erlaubt-das-ausblenden-von-apps/
•#Minimalism• An bright #design „#TouchID“ style #Wallpaper for your #Apple device named #iPhone. ☻ Have fun!
Recently I switched from an #iPhone SE 2nd generation to an iPhone 15. The biometric identification system has therefore been changed from #touchID to #faceID. FaceID works quite well so far. It only reaches its limits in strong sunlight and during sport. It is particularly annoying to have to enter the PIN when doing #sport. It feels like this happens much more often with Face ID than it used to with Touch ID. #running #cycling
It's done: The wireless version of the #TouchMagic button. An #Apple Touch ID button, freed from its old and defective keyboard, built into its own case. Now usable with every keyboard you want to use. The battery can be charged via the lightning port.