Replace password prompt with Touch ID to read Keychain password

I'm using the following command to fetch a password from the Keychain in a shell script: security find-generic-password -w -s "MyServiceName"

It works, but it's showing a popup window asking me for the login keychain password:

security wants to use your confidential information stored in "MyServiceName" in your keychain. To allow this, enter the "login" keychain password.

With the options to Deny, Allow or Always Allow

But I don't want to enter my keychain password every time, so I can't use "Allow" and I'd rather not "Always Allow" in order to keep some level of security here.

Ideally I'd like to get a Touch ID prompt instead. Is there any way to do this ?


Solution 1:

Investigating this I was not able to find any method that would allow for the security command to make use of Touch ID. This article titled: How to Use Touch ID to Authenticate sudo on Mac OS, mentioned in a comment regarding sudo and then use of the Touch ID, will not work here since that makes use of the addition of this line:

auth sufficient pam_tid.so

to sudo's PAM file, /etc/pam.d/sudo. There is nothing equivalent to the security command since it doesn't make use of sudo.

Therefore you're left with using one of the 2 methods mentioned in the dialog when running the security command:

  • Always Allow
  • Allow

ss1

If you pick "Always Allow" this will grant access indefinitely just to the security command. If you pick "Allow" it will grant security access just 1 time to Keychain.

Example

Here I've created an application password item in Keychain called TestPassword.

ss2

We can see that nothing has been given access to it by looking at the ACL tab of this dialog.

ss3

If I run this security command:

$ security find-generic-password -w -s "TestPassword"

And permanently "Always Allow" I'll be given the password for this item from Keychain:

TestPassword123

But more importantly I'll add security to the ACL for this item in Keychain.

ss4