Comment by mvdtnz
3 months ago
I often get third party popups from software vendors which asks me for my MacOS password. I have checked several times and these are "legit" (as in, the popup comes from a who it says it does and it's a reputable company). It's wild to me that Apple have painted themselves into a world where it's expected that users give their OS password to third party apps.
MacOS and iOS both seem to have an insatiable hunger for passwords. The most aggravating scenario for me by far is when the App Store on iOS, with no consistent pattern I have been able to identify, makes me reenter my entire massive Apple ID password instead of the usual Face ID prompt to download ... a free app.
I can’t get it to use my password manager on that screen either, and navigating to another app closes the modal so you have to copy your password and then start over.
Wait, that's actually never legit. If the password popup comes from the OS on behalf of the vendor, that's OK; the third-party party never has access to your password, just a time-limited auth token to allow it to do something privileged.
Ok? I don't know if it's the OS on behalf of the app or not. It's a password prompt that doesn't even have an affordance for biometrics, unlike other MacOS admin prompts. It's commonplace in MacOS applications.
This is an example of what I'm talking about https://www.reddit.com/r/Slack/comments/1geva4f/how_do_i_sto...
This is good for security becuase you're giving temporary access for a helper binary to do privileged stuff in a limited scope.
From the UX perspective, yes, it is triggered from the app.
It's been a long time since I used the Core Foundation API but you trigger a request, and then get back a token from the OS that grants you permission to do stuff.
I don't know if this is current or not:
https://developer.apple.com/library/archive/documentation/Se...