Hi! We are developing an authentication plugin for macOS that integrates with the system's authentication flow. The plugin is designed to prompt the user for approval via a push notification in our app before allowing access. The plugin is added as the first mechanism in the authenticate rule, followed by the default builtin:authenticate as a fallback.
When the system requests authentication (e.g., during screen unlock), our plugin successfully displays the custom UI and sends a push notification to the user's device. However, I've encountered the following issue:
- If the user does not approve the push notification within ~30 seconds, the system resets the screen lock (expected behavior).
- If the user approves the push notification within approximately 30 seconds but doesn’t start entering their password before the timeout expires, the system still resets the screen lock before they can enter their password, effectively canceling the session.
What I've Tried:
- Attempted to imitate mouse movement after the push button was clicked to keep the session active.
- Created a display sleep prevention assertion using IOKit to prevent the screen from turning off.
- Used the caffeinate command to keep the display and system awake.
- Tried setting the result as allow for the authorization request and passing an empty password to prevent the display from turning off.
I also checked the system logs when this issue occurred and found the following messages:
___loginwindow: -[LWScreenLock (Private) askForPasswordSecAgent] | localUser = >timeout
loginwindow: -[LWScreenLock handleUnlockResult:] _block_invoke | ERROR: Unexpected _lockRequestedBy of:7 sleeping screen
loginwindow: SleepDisplay | enter
powerd: Process (loginwindow) is requesting display idle___
These messages suggest that the loginwindow process encounters a timeout condition, followed by the display entering sleep mode. Despite my attempts to prevent this behavior, the screen lock still resets prematurely.
Questions:
- Is there a documented (or undocumented) system timeout for the entire authentication flow during screen unlock that I cannot override?
- Are there any strategies for pausing or extending the authentication timeout to allow for complex authentication flows like push notifications?
Any guidance or insights would be greatly appreciated. Thank you!
Yes.
I investigated this on behalf of another developer and my conclusion was that there’s no way to override this timeout. The developer filed a bug about that (FB7685037). I just checked on that bug and it remains unresolved.
ps Have you already been in touch with DTS about your authorisation plug-in? If not, please open a DTS code-level support request so that I can discuss some stuff with your privately.
When you fill in the form, make sure to reference my response on this thread.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"