Is that authentication request genuine or fake?
It’s essential to know when an authentication request is genuine. Without that knowledge, it’s all too easy to give your password away to malware, or to a badly-behaved app that’s trying to work around macOS security rules. By far the best way to authenticate now is using Touch ID, but many Macs don’t support it, either because they can’t, or because their keyboard doesn’t, and macOS doesn’t always offer it anyway. This article looks at how you can recognise genuine requests.
All Macs
The traditional non-biometric dialog is still in widespread use, and can appear on any Mac, even when Touch ID is available, and in Sequoia. I’ve been trying to work out a simple rule to predict when you should expect to see a classic request, and it appears to be associated with more traditional apps like Keychain Access, and when asking to access a file-based keychain such as the login keychain. But there don’t appear to be any simple and robust rules.
When an app needs to access a secret that requires authentication, the security system, not the app, displays a dialog asking you for the password to that keychain to authenticate before it will provide the password or other secret to the app.
That authentication dialog is very important: although malware might try to forge it, it contains distinctive features you should always look for:
The icon consists of a locked padlock, on which is superimposed a miniature icon representing the app or component that has asked to access the keychain.
The bold text names the app or component that has called for keychain access, and states which item it’s asking to access: here, a named secure note.
The smaller lettering specifies that it’s asking for the keychain password, that is the password used to unlock the named keychain, not that for your Apple Account or any other password.
If you’re in any doubt about its authenticity, click on the Deny button and the request will be denied.
If you’re in any doubt about its authenticity, open Keychain Access, lock the keychain there, and repeat the action while watching the keychain to ensure that it’s unlocked and handled correctly.
Note that this doesn’t provide or ask for your user name, only the password for that keychain.
Macs without Touch ID
If Touch ID isn’t currently available to your Mac, either because it doesn’t support it, or because it doesn’t have a keyboard connected that includes Touch ID support, you should see the non-biometric versions of other dialogs requesting authentication. These are for purposes other than keychain access that require elevated privileges, such as for a process to run a privileged helper, or to make changes in System Settings.
This new vertical format should contain the following:
The icon consists of a locked padlock, on which is superimposed a miniature icon representing the app or component that is asking for your password.
Bold text names the app making the request.
Below that is a general indication of the purpose of the request.
Below that is the instruction to Enter your password to allow this.
There are two text boxes, to contain your user name (already completed) and password.
There are only two buttons, one of which may be OK or something more specific, and the other is Cancel.
If you’re in any doubt as to its authenticity, click on the Cancel button to deny the request, and consult the app’s documentation.
Macs with Touch ID
If your Mac supports Touch ID (all Intel Macs with T2 chips, and all Apple silicon Macs), and currently has a keyboard connected to it with support for Touch ID, macOS should offer you the biometric version of that authentication dialog.
This should contain the following:
The icon consists of a Touch ID fingerprint, on which is superimposed a miniature icon representing the app or component that is asking for your password.
Bold text names the app making the request.
Below that is a general indication of the purpose of the request.
Below that is the instruction to Touch ID or enter your password to allow this.
There are only two buttons, the upper being Use Password…, and the lower is Cancel.
If you’re in any doubt as to its authenticity, click on the Cancel button to deny the request, and consult the app’s documentation.
This dialog has distinctive behaviour that’s difficult to forge. When you place your fingertip on the Touch ID button on the keyboard, it will either authenticate successfully, so dismissing the dialog, or the dialog shakes to indicate you should try placing your fingertip on the button again.
If Touch ID authentication fails, or you click on the button to Use Password…, the dialog expands to resemble the non-biometric version above, with the following two important differences:
The icon still consists of a Touch ID fingerprint, with a superimposed miniature icon representing the app or component.
The instruction remains to Touch ID or enter your password to allow this.
Although you will continue to encounter classic non-biometric authentication dialogs on a Mac with full Touch ID support, you may also come across some that you might have expected still to use the old dialog, but which now use a biometric dialog, such as that below.
Perhaps as Touch ID support extends this will become more consistent.