I recently bought a Mac Mini and was disappointed to learn that you can’t have Touch ID unless you buy one of the Touch ID keyboards. But there are so many other keyboards I’d prefer to use than Apple’s official ones.
It’s mind boggling that Apple won’t sell just a stand-alone Touch ID that you can plug into any computer. There are people who’ve been able to make a DIY (Do It Yourself) version by taking apart a Touch ID keyboard and putting the touch sensor into a small 3D printed case. Unfortunately, I don’t have the time or tools or budget for that right now.
What I have been able to do is to repurpose a spare Yubikey to achieve something that’s close enough to Touch ID for my needs. This article will explain how. But first…
What is a Yubikey?
A Yubikey is a tiny USB device similar in shape to a thumbdrive but even smaller. It has golden sensors that are triggered by human/animal touch*, which then gets the Yubikey to do something like output a password.
*or contact with any other conductive materials such as metal and in some cases fabrics (due to static electricity). Non-conductive materials, such as plastics, rubber, paper, and wood, will NOT trigger a Yubikey’s capacitive sensors.
Funny story: At my last company, we had a coworker who accidentally placed his laptop on a blanket in a way that continuously triggered his Yubikey to post OTPs (one-time passwords) into an all-hands Slack channel for an hour while he was on break. RIP. 🥲☠️⚰️🪦
The Requirements
For my Touch ID alternative, I have just 2 must-have requirements and 1 nice-to-have:
- The password should be a long random combination of letters, numbers, and symbols so that it is unfeasible to brute force if the computer is ever lost or stolen.
- The password should be quick and easy to enter with just a touch of a button (no manual typing).
- Bonus: It would be nice if the touch would check for a biometric match (i.e. fingerprint), but this isn’t necessary.
The Solution
I reprogramed my Yubikey 5C so that it outputs the same 38 character password every time it is touched. I then backed up that password on a password manager in case the Yubikey is ever lost or destroyed.
The only issue is that unlike Touch ID, a Yubikey will work regardless of who touches it. It doesn’t care if it is you or a stranger or a cat or even a piece of metal. Any touch from a conductive object will get it to enter the password. So any time you leave your computer unattended, you’ll need to remove the Yubikey and hide it or take it with you if you want to ensure your computer stays locked and secure.
Alternative 1: PIV Login
One alternative to this is to setup the Yubikey as PIV Login for MacOS. This will require a 6–8 digit pin in addition to your Yubikey being present. So if you accidentally leave your Yubikey plugged in, it can stop someone who is casually snooping. But note that a 6-8 digit pin can be “brute forced” in a few minutes by someone who has the right tools. So even with a PIV Login, it would still be good practice to remove the Yubikey and hide it or take it with you any time you leave your computer unattended.
And that’s why in my opinion, PIV is not worth it. It adds a lot of extra hassle to setup and use (and even to make a backup) without adding much of a security benefit in return. This is especially true if your computer is only used at a secure and private location.
Alternative 2: Yubikey Bio
The ideal Yubikey would be one that you can leave on your device and not worry about anyone else being able to use it. And for that to be possible, it would need to only be triggerable by your fingerprint just like Apple’s Touch ID.
Well, recently Yubico launched the Bio series of Yubikeys which finally has a fingerprint sensor! But, unfortunately, this new line of Yubikeys currently does not support static passwords and MacOS login doesn’t support the FIDO protocol (which is what the Bio series uses). 😔 So close yet so far…
Step-By-Step Instructions
Here are the step-by-step instructions for how to replace your Mac login with a secure Static Password that’s entered with a (non-biometric) touch of a Yubikey (4 series or 5 series).
Step 1: Buy a Yubikey
If you don’t already have a compatible Yubikey, it is best to buy one directly from the manufacturer to avoid potential tampering/fakes by 3rd parties. Yubico ships to almost every country in the world.
The “YubiKey 5C Nano” is good if you’re using a laptop. The low-profile of the nano is discrete, helps prevent accidents, and allows you to leave it plugged in when putting your laptop into a bag.
The “YubiKey 5C” is good if you’re using a desktop like a MacMini and need to reach your hand a bit to touch it, or if you’re planning to remove the Yubikey frequently like whenever you leave your computer unattended. (In contrast, the Nano is difficult to quickly remove due to its tiny size.)
There are many other models to choose from, just make sure the one you buy is listed as compatible with Static Password features on this article from Yubico.
Step 2: Get the Yubikey Manager app
Download and install the Yubikey Manager app from Yubico’s website: https://yubico.com/support/download/yubikey-manager/
Step 3: Update your Input Monitoring permissions
YubiKey Manager needs to be granted Input Monitoring permission before it will be able to open the YubiKey’s OTP application (this is because the YubiKey’s OTP application is essentially a USB keyboard).
To grant YubiKey Manager this permission, search “input monitoring” in your MacOS’s settings or find it from the “Privacy & Security” menu.
We can turn these permissions back off once we are done with Step 4.
Step 4: Configure your Yubikey
Plugin your Yubikey and open the Yubikey Manager. In Yubikey Manager app, click “Applications” in the navigation and then select “OTP”.
You’ll see two “slots”: “short touch” and “long touch”.
- Short touch is if you want to trigger the Yubikey with just a quick tap.
- Long touch is if you want to trigger the Yubikey by holding your touch for a second or two.
You can configure your Yubikey for both types of touches or just one, as per your preference. If you don’t want your Yubikey to be extra sensitive, then only configure the “long touch” slot and make the “short touch” slot blank by pressing the “Delete” button (by default it will be configured for Yubico OTP).
Once you’ve decided on your preferences: Press the “Configure” button for the slot you want to use, then select “Static password” and press “Next”.
On the Static Password page, select “Allow any character” and then press “Generate”. You’ll see a 38 character password get generated such as:
^dH[.p?rSV6~0*u0cw-H{De?qR*Enc!Op46$oA
According to password strength checkers like Bitwarden, it would take centuries to brute force a computer with such a password. Even passwords used for Apple’s FileVault feature are just 24 characters long.
If you’d like a different password, you can press “Generate” again for a new one. You can also manually edit whatever was generated.
Step 4b: BACKUP
IMPORTANT: Before you press the “Finish” button, copy the password and paste it into whichever password manager tool you’re using (such as 1Password or Bitwarden). It is CRITICAL to have a backup of this password in case your Yubikey ever gets lost or stolen. If you’re not yet using a password manager, then stop reading this guide and get that sorted first.
Step 4c: TEST
IMPORTANT: After you press the “Finish” button, you can test your Yubikey by opening up a non-cloud note tool like “TextEdit” on Mac. (Avoid a cloud-based note tool so that your password doesn’t get recorded somewhere other than your password manager). Then do a short/long touch on your Yubikey and see the output in the note tool. It should be the same password you’ve configured and backed up above.
Step 5: Second Slot (optional)
If you want your Yubikey to get triggered by both short and long touch, then you’ll need to repeat Step 4 for the other slot. But this time, instead of pressing “Generate”, you’ll need to enter the password from Step 4.
Note: To be able to paste a password, you first need to click the “Allow any character” checkbox.
If you do end up configuring the second slot, make sure to go back to a note tool and test to make sure that both the short touch and long touch give the same output.
Step 6: Update your MacOS password
This is the part we’ve been waiting for! Now that you have a Yubikey that outputs a secure static password, you can go into your Mac settings and update your password to use it.
For both the “New password” and “Verify” fields, you’ll just be touching your Yubikey instead of typing anything in.
Congrats for making it so far! 🥳
Step 7: Update your Input Monitoring permissions
You can now go back and remove the Yubikey Manager’s Input Monitoring permission as it’s not needed anymore.
Step 8: Enjoy!
You can now enjoy using your Mac without having to type in your password several times a day, while also having a password that is more secure than the vast majority of users and impossible to brute force — at least until quantum computers become commercially viable.
Other Devices
Here are some other potential alternatives to Touch ID. I haven’t had the chance to try them yet, but would like to in the near future.
- Kensington VeriMark Guard (USB-C Fingerprint Security Key)
- Cryptnox FIDO2 Card with Mini Smartcard Reader
As far as I can tell though, neither of them support static passwords or MacOS login in general, and thus would not be usable in the same way as a Yubikey in this guide.
The End
I hope this guide was helpful! 🙏 I’m new to writing on Medium so please share your feedback in the comments, don’t be shy to ask any questions, and let me know if there are any other cool ways you login to your MacOS :)
