I'm looking to implement USB monitoring for FIDO2 authentication through a custom Authorization Plugin, specifically for the below ones.
This plugin applies to the following macOS authorization mechanisms:
- system.login.console — login window authentication
- system.login.screensaver — screensaver unlock authentication
The goal is to build a GUI AuthPlugin, an authorization plugin that presents a custom window prompting the user to "Insert your FIDO key”. Additionally, the plugin should detect when the FIDO2 device is removed and respond accordingly.
Additional Info: We have already developed a custom authorization plugin which is a primary authentication using OTP at login and Lock Screen. We are now extending to include FIDO2 support as a primary.
Our custom authorization plugin is designed to replace the default loginwindow:login mechanism with a custom implementation.
Question: Is there a reliable approach to achieve the USB monitoring functionality through a custom authorization plugin? Any guidance or pointers on this would be greatly appreciated.
I’m looking for USB monitoring code that can function within an authorization plugin
It’s hard to be sure without testing it, but I believe that our standard USB APIs will work in the authorisation plug-in context.
My standard advice here applies: Get things working from a test app and then move that code into your authorisation plug-in. That way you’re only debugging one thing at a time.
Oh, and our USB APIs are somewhat confusing:
- The modern API is the IOUSBHost framework.
- You’ll find lots of references to
IOUSBHostis the Kernel framework. Ignore those. They are only relevant to KEXTs. - You can also find USB APIs in the IOKit framework. Those are deprecated in favour of IOUSBHost framework.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"