This page is for Silicon MacBook only. If you’re locked out from vault, press: Option+Shift+Return to input recovery code and login again.
The problem
MacOS supports smartcard for login but the implement is conflicting with vault. Only recent key can unlock vault the next time and only RSA supported slot key management (9d).
Setup
We need 2 slots: 9a for authentication and 9d for unwrap/decrypt keychains wrapper.
Use ykman command with piv as subcommand to generate keys and certificates, use --touch-policy always to require touch any action but it requires touch 3 times when unlocking vault and login from screenlock, maybe 1 time for decrypt vault, 1 time for keychains, 1 time for authentication. Or buying a smime from Trusted Authority.
Listing hash: sc_auth identities
Paring: sudo sc_auth pair -h hash -u user
Check smartcard’s slots and keys’s usage: system_profiler SPSmartCardsDataType
Enforce smartcard only using command: sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool true
Screensaver when card is removed: sudo defaults write /Library/Preferences/com.apple.security.smartcard tokenRemovalAction -bool true
By default, MacOS doesnot check certificate’s trust. For strict checking, we need plist with sha256 fingerprints of Certificate Authorities.