Home Setup Macos smartcard login only

Setup Macos smartcard login only

This page is for Silicon MacBook only. If you’re locked out from vault, press: Option+Shift+Return to input recovery code and login again.

The problem

MacOS supports smartcard for login but the implement is conflicting with vault. Only recent key can unlock vault the next time and only RSA supported slot key management (9d).


We need 2 slots: 9a for authentication and 9d for unwrap/decrypt keychains wrapper.

Use ykman command with piv as subcommand to generate keys and certificates, use --touch-policy always to require touch any action but it requires touch 3 times when unlocking vault and login from screenlock, maybe 1 time for decrypt vault, 1 time for keychains, 1 time for authentication. Or buying a smime from Trusted Authority.

Listing hash: sc_auth identities
Paring: sudo sc_auth pair -h hash -u user
Check smartcard’s slots and keys’s usage: system_profiler SPSmartCardsDataType

Enforce smartcard only using command: sudo defaults write /Library/Preferences/com.apple.security.smartcard enforceSmartCard -bool true

Screensaver when card is removed: sudo defaults write /Library/Preferences/com.apple.security.smartcard tokenRemovalAction -bool true

By default, MacOS doesnot check certificate’s trust. For strict checking, we need plist with sha256 fingerprints of Certificate Authorities.

This post is licensed under CC BY 4.0 by the author.