This page is for Silicon MacBook only. If you’re locked out from vault, press: Option+Shift+Return to input recovery code and login again.
MacOS supports smartcard for login but the implement is conflicting with vault. Only recent key can unlock vault the next time and only RSA supported slot key management (9d).
We need 2 slots: 9a for authentication and 9d for unwrap/decrypt keychains wrapper.
Use ykman command with piv as subcommand to generate keys and certificates, use
--touch-policy always to require touch any action but it requires touch 3 times when unlocking vault and login from screenlock, maybe 1 time for decrypt vault, 1 time for keychains, 1 time for authentication. Or buying a smime from Trusted Authority.
sudo sc_auth pair -h hash -u user
Check smartcard’s slots and keys’s usage:
Enforce smartcard only using command:
sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool true
Screensaver when card is removed:
sudo defaults write /Library/Preferences/com.apple.security.smartcard tokenRemovalAction -bool true
By default, MacOS doesnot check certificate’s trust. For strict checking, we need plist with sha256 fingerprints of Certificate Authorities.