Enforce biometric authentication to use Secure Enclave SSH keys

[orazioedoardo]

Basically same as maxgoedjen/secretive#412. While Secure Enclave SSH keys prevent an attacker from stealing the private key and use it out-of-band, they may use the key anyway to login to arbitrary servers on the device without the user being involved.

With enforced biometric authentication the attacker would have to wait for the user to log in to a legitimate server and could only use that to login to the same server (otherwise the user would be tipped off that the authentication didn't work).

This should be feasible using https://developer.apple.com/documentation/security/secaccesscontrolcreateflags/2937192-biometrycurrentset. The UI should warn that the key will be wiped if biometric configuration changes (but users still need a plan B today, if they use secure enclave keys).

This feature would also serve as a way to have per-server / per-key biometric requirement, which todays is only for the blink app as a whole.

[carloscabanero]

We already have #1489 as part of this.

Opening the discussion here though. So the biggest reason why we have not enabled this yet is because we think it kinda collides with the Personal Mobile device concept and the way Apple is taking the OS itself.

The way mobile devices work is that your device unlock is the real "test of user presence". Once that happens, there isn't much secondary test needed. Now, I see why maybe adding this extra security protection may be perceived as more secure, maybe in those scenarios you won't even be interested on this advanced functionality and re-connections, etc...

To do a test of user presence properly, in my opinion, is not enough with just displaying the FaceID or TouchID prompt. The user needs to also receive a "heads up, user presence is required for X server to use Y key", like we do with Agent Forwarding. This is also not ideal when automations happen, Files.app, or reconnections may be triggered to start a configuration or a full setup reconnecting. Otherwise you will just be receiving prompts again and again and you don't even know why they may be happening.

Another way I see we could do this is with special configuration for the "Application lock". Configuring the time or "when" you want it to happen (even every time you come back to the app), I think may be a better alternative solution. Because if you are connected to the server, same scenario that you mention can be triggered by a malicious user taking your device away.

Thanks for opening this discussion.

[orazioedoardo]

I agree with you, especially the shortcoming of Files.app operations. I see this feature as a way to provide more “value” to the secure enclave key since at the moment it doesn’t seem more to provide real benefit over storing it in keychain, and has the inconvenience of not being exportable.