Keychain module - set_password - touch ID support

[zrzka]

Would be nice if stored passwords can be protected by touch ID. In other words, whenever I call get_password, touch ID popups and then the password is retrieved. Something like set_password('aa', 'bb', 'cc', user_presence=True).

[zrzka]

Maybe this can be default behavior if there's touch ID. Just to protect my passwords when I left iPad, Pythonista, ... for a while (rare case, but can happen). Also other scripts I do install will not be able to read my passwords. Now, I have to trust StaSh & other scripts that they're not doing something bad. I'll be informed in this way that some script is trying to get password from keychain.

[omz]

While I'm not generally against this, please consider that it's technically impossible to prevent other scripts from reading the passwords you've stored in the keychain. They could always useobjc_util to circumvent any TouchID popup etc.

[zrzka]

@omz why do you think other scripts can read password I've stored in the keychain? If I store it with ...

• accessibility = whenPasscodeSetThisDeviceOnly
• policy = userPresence

... then whenever I try to read it (or any other script), Touch ID / Passcode dialog appears (system) and I'm unable to read it unless I authenticate myself with finger or passcode.

So, the authentication prompt can say something like Script XYZ requires password.

[omz]

@zrzka Hmm, sounds interesting. Tbh, I haven't looked at keychain APIs in a while (I implemented the keychain module before TouchID was even a thing). Do you have a link with more info?

[zrzka]

@omz Check KeychainAccess for example. Scroll down to Touch ID integration (search in README).

[omz]

I'll check it out, thanks. Do you know if there's something like this, but ObjC-based (instead of Swift)? I'm not sure right now if the TouchID authentication is a feature of Apple's APIs or just the wrapper (in the latter case, it would probably be easy to circumvent).

[zrzka]

Yup, there's lot of frameworks for ObjC as well. This is Apple's API feature which is with us for quite a long time :) I'll check my notes and will post some links here.

[omz]

Okay, thanks! I guess the keychain module might be due for a general overhaul...

[zrzka]

Here're some libs ...

• auth0/SimpleKeychain

... other links I've got seems to lead to abandoned libraries. Will ask guys at work what they do use these days.

Here're Item Attribute Keys and Values. Search for Accessibility Values / kSecAttrAccessible for example. Basically you can say when the item is available - device is locked, or after first unlock, if unlocked only, when passcode is set, ... You can say that the item should be trashed when stored with Touch ID protection and user trashes fingerprints and disables Touch ID, ...

[zrzka]

Here's not finished example yet written in Python ...