Authentication and digital signature
For easy and secure storage of a user’s credentials and digital identity, macOS includes keychains and other tools that support authentication and digital signature technologies such as smart cards and S/MIME.
Key chain architecture
MacOS provides a repository called Keychain that makes it easy to securely store usernames and passwords, including digital identities, encryption keys, and security tips. It can be accessed by opening the Keychain Access application at /Applications/Utilities/. Using a keychain eliminates the need to enter (or even memorize) credentials for each resource. Create an initial default keychain for each Mac user, but users can create other keychains for specific purposes.
In addition to user keychains, macOS relies on a number of system-level keychains that maintain non-user-specific authentication assets, network credentials, and public key infrastructure (PKI) identities. Where the system root key string is immutable, and stores Internet PKI root Certificate Authority (CA) certificates to facilitate common tasks such as online banking and e-commerce. Similarly, you can deploy an internally provided CA certificate to a managed Mac machine to help validate internal sites and services.
Safety Certification Framework
Keystring data is partitioned and secured by Access Control lists (ACLs), so credentials stored by third-party applications cannot be accessed by applications with different identities unless the user explicitly consents. This protection provides a mechanism to secure authentication credentials on Apple devices across a range of applications and services within the organization.
Touch the ID
Mac systems with a Touch ID sensor can be unlocked with a fingerprint. Touch ID does not replace your password and requires you to log in even after your Mac is turned on, restarted, or logged out. Whenever a user is asked to enter a password when logging in, the user can be quickly authenticated by Touch ID.
Users can also use Touch ID to unlock password-protected memos apps and the Password panel of Safari preferences. To improve security, users must enter a password instead of using Touch ID to unlock the security and privacy panels in the system’s preferences. If FileVault is turned on, the user must also enter a password to manage user and group preferences. If multiple users log in to the same Mac, they can switch accounts using Touch ID.
For more information about Touch ID and its security, see the Apple Support article “About Advanced Security Techniques for Touch ID.”
Use the Apple Watch to unlock automatically
People who own an Apple Watch can use it to automatically unlock their Mac. Bluetooth Low Power (BLE) and point-to-point Wi-Fi allow the Apple Watch to securely unlock a Mac after ensuring the distance between devices. This requires an iCloud account configured with two-factor authentication (TFA).
For more information about the protocol, and for Continuity and Handoff features, see the iOS Security Guide documentation
The smart card
MacOS Sierra and above include native support for personal Authentication (PIV) cards. These cards are widely used by commercial and government agencies for TFA, digital signature and encryption.
A smart card consists of one or more digital identities with a pair of public and private keys and associated certificates. Unlocking a smart card with a personal identification number (PIN) gives access to the private key used for authentication, encryption, and signing operations. The book determines what a key can be used for, what properties are associated with it, and whether it is authenticated (signed) by the CA.
Smart cards can be used for two-factor authentication. The two factors needed to unlock a card are “what you have” (the card) and “what you know” (the password). MacOS Sierra and above supports smart card login window authentication and Web client certificate authentication on Safari. It also supports Kerberos authentication using key pairs (PKINIT) for single sign-on to Kerberos-enabled services.
For more information about smart card deployment under macOS, see macOS Deployment Reference.
Digital signature and encryption
In mail applications, users can send digitally signed and encrypted messages. Mail automatically finds the appropriate RFC 822 case-sensitive email address subject or subject replacement name of the digitally signed and encrypted certificate attached to the PIV token compatible smart card. If the configured email account matches the email address on the digital signature or encryption certificate on the attached PIV token, Mail will automatically display the signature button in the toolbar of the new message window. If Message has the recipient’s email encryption certificate, or can be found in the Microsoft Exchange Global Address List (GAL), an unlocked icon will appear in the new message toolbar. The locked lock icon indicates that the email will be encrypted using the recipient’s public key.
Each message S/MIME
MacOS supports S/MIME for each message. This means that S/MIME users can choose to always sign and encrypt messages by default, or they can choose to selectively sign and encrypt individual messages. The identity used by S/MIME can be delivered to Apple devices through configuration files, MDM solutions, Simple Certificate Registration Protocol (SCEP), or Microsoft Active Directory certificate authorities.