Smart card-only authentication on macOS

macOS support mandatory use of a smart card, which disables all password-based authentication. This makes it possible to use a YubiKey with PIV support for all authentication on macOS, including computer login.

Warning: Enforcing smart card may lock you out from your machine if done incorrectly. Make sure to read the recovery section here, and note that this enforcement applies to all users on the machine.

Prerequisites

  • macOS High Sierra or later

  • an administrator account with a password configured

  • a YubiKey with the PIV application. Make sure you go through the device setup.

  • YubiKey Manager CLI installed

Steps

  1. Generate certificates on your YubiKey to be paired with macOS.

    1. Generate key pairs for slot 9a and 9d, save public part to files.

      ykman piv generate-key 9a --algorithm ECCP256 /tmp/9a.pub
      ykman piv generate-key 9d --algorithm ECCP256 /tmp/9d.pub
      
    2. Generate self-signed certificates, anything can be used as subject. You may also set the expiration, default is one year.:

      ykman piv generate-certificate 9a --subject "YubiKey 5" /tmp/9a.pub
      ykman piv generate-certificate 9d --subject "YubiKey 5" /tmp/9d.pub
      
  2. Pair the the YubiKey with macOS

    1. The public key hash should now be listed as an unpaired identity.

      sc_auth identities
      
    2. Use the listed hash to pair the YubiKey with your user.

      sc_auth pair -h HASH -u USERNAME
      
    3. Verify that your user is paired:

      sc_auth list
      

    You may now use your YubiKey for login, but your password still works as well.

  3. Install a configuration profile

    1. To enforce the use of smart card a configuration profile needs to be installed. A sample profile can be found here. Save the sample profile as sample.mobileconfig

    2. Install the profile:

      profiles install --path sample.mobileconfig
      

The YubiKey is now required for all authentication tasks on the system.

Additional options

Note that even though this guide uses self-signed certificates, any pair of certifcates stored in slot 9a and 9d may be used for pairing. To also verify that the certificates used are trusted, configure the checkCertificateTrust option in the profile.

The tokenRemovalAction may be added to the profile to automatically start the screensaver when the YubiKey is removed.

More reading: