← Back to context

Comment by KerrAvon

3 months ago

Wait, that's actually never legit. If the password popup comes from the OS on behalf of the vendor, that's OK; the third-party party never has access to your password, just a time-limited auth token to allow it to do something privileged.

3 comments

KerrAvon

Reply
mvdtnz  3 months ago

Ok? I don't know if it's the OS on behalf of the app or not. It's a password prompt that doesn't even have an affordance for biometrics, unlike other MacOS admin prompts. It's commonplace in MacOS applications.

This is an example of what I'm talking about https://www.reddit.com/r/Slack/comments/1geva4f/how_do_i_sto...

  • afandian  3 months ago

    This is good for security becuase you're giving temporary access for a helper binary to do privileged stuff in a limited scope.

    From the UX perspective, yes, it is triggered from the app.

    It's been a long time since I used the Core Foundation API but you trigger a request, and then get back a token from the OS that grants you permission to do stuff.

    I don't know if this is current or not:

    https://developer.apple.com/library/archive/documentation/Se...