Password Utility Admin Guide
Overview
Password Utility is an app to provide a password-less experience by simplifying and removing password entry from macOS. Password Utility adds the following capabilities:
- Automatic FileVault unlock on startup to allow remote access to a Mac after a power failure or reboot.
- Simple local user password entry for password dialogs when Touch ID is not available.
- Touch ID for authentication in Terminal as administrator.
Using these capabilities, it is possible to skip typing a local password completely when in a user session, regardless of whether the user is an admin or a standard user. Combine this with the built-in feature of macOS to log in at the Login Window using a Smart Card and it is possible to completely skip entering a password at any time for the local user in macOS.
Add this capability with Passkey support in the Secure Enclave in macOS and online passwords can be avoided as well to enable a completely password-less experience on macOS, both locally and online.
How it Works
The core of Password Utility is providing secure access to the login password in the Password Utility app. At user login, the local password is securely saved to the user’s keychain, permitting access to the password in Password Utility so it can provide the password to related features on macOS. This password item is saved to the local user’s login keychain and named “Password Utility”. The password item is protected by standard macOS Access Controls and only permits access to specific processes.
Once the user’s password is available in the user’s keychain on macOS, Password Utility provides easy access to the password through a menu item or a keyboard shortcut. Password Utility also can use the local username and password to unlock FileVault automatically at next startup, booting macOS to the standard Login Window, and allowing network access to the Mac.
FileVault
MacOS uses a disk encryption technology called FileVault. On Apple Silicon, the disk is always encrypted and this provides protection if the disk is attempted to be accessed when removed from the Mac. However, if FileVault is not enabled, nefarious actors can boot to recovery and access data without a user password. To prevent this, FileVault can be enabled to protect the disk encryption keys with the user passwords.
However, when a Mac is rebooted due to a power failure or manual reboot, the user must enter their FileVault password to unlock the disk. This prevents external services (such as MDM, screen sharing, SSH, or other remote management tools) from being able to access the device until the disk is unlocked with the user’s FileVault password. MacOS 26 Tahoe has FileVault enabled by default in the setup assistant, so it will become even more common for FileVault to be enabled.
Automatically unlocking FileVault during startup with Password Utility does not automatically log the user into the Mac, and a user must authenticate at the login window to access the user session. This provides a balance between allowing access to the Mac on the network and securing data at rest with FileVault. The data on the drive is protected from being accessed from recovery if the drive is removed from the Mac and the user session is protected by the Login Window.
Install
To begin, download and run the Password Utility installer. Click “Allow” when prompted, then close the installer. Then launch Password Utility from the Finder “Applications” folder. When prompted, click “Allow” for App Background Activity, and enter an administrator password to confirm.
Configure Setup
To configure Password Utility, click its icon in the menu bar, then click gear icon. Several options are shown.
Automatically Start at Login
Click this option to automatically launch the Password Utility menu bar app after each login. Note that this option needs to be enabled in order for most features to work.
Automatically Unlocking FileVault
Password Utility can be used to unlock FileVault automatically after restarting a Mac. This is helpful to allow a machine to remain available on the network when FileVault is enabled and the machine is restarted. Normally a FileVault-enabled machine would become unavailable on the network for management after a restart, and it would not become available until the next time a user signs in. Password Utility can set up macOS to automatically unlock FileVault in two different ways.
Option 1: Automatically Unlock FileVault with Current User
When this option is chosen and the machine is restarted, the machine will become available on the network by using the current user’s credentials to unlock FileVault after the restart.
If the machine were to be restarted a second time without a user signing in, FileVault would not be automatically unlocked since a user would not be logging in to provide credentials to unlock FileVault automatically.
Option 2: Automatically Unlock FileVault with Selected User
To ensure that a machine always remains available on the network after multiple restarts, the Mac can be set up to unlock FileVault before a user logs in by providing a username and password in the system keychain.
This second option to unlock FileVault provides a list of local users on macOS. Choose a user from this list and enter the user’s password when prompted. The username and password will be stored in the System Keychain and make the information available to Password Utility to unlock FileVault after multiple machine restarts. The system keychain is only accessible to the system and to local administrators. Note: Any local administrator can view the FileVault unlock password in the System Keychain using their admin credentials.
Copy Password
Password Utility can be used together with Touch ID to paste a user’s password when needed. This makes it practical to use a complex password for increased security. To use this option, first make sure that Touch ID is enabled in macOS settings. Then in the Password Utility Setup window, find the “Local Password” section and click the checkbox for “Enable Hotkey for copying user password”.
Once this is done, the user’s password can be copied to the pasteboard by pressing the keyboard command Control-Option-Command-C and then using Touch ID when prompted. A notification will be shown when this is done. The password will then be available to paste with the normal keyboard shortcut Command-V. After 30 seconds, Password Utility will check if the password is still available for pasting and then clear it. A notification will be shown stating that the password was cleared.
Alternatively, the user’s password can also be copied by clicking on the Password Utility menubar app and pressing the button for “Copy Password”.
Touch ID for sudo
Password Utility can be used to bypass entering the user’s password when using sudo commands in Terminal. Normally when using sudo to run restricted commands in Terminal, a prompt would appear to have an admin user’s password be entered for approval. In the Password Utility Setup window, in the section for “Local Password”, click the checkbox for “Enable Touch ID for sudo”. When prompted, go to macOS settings and enable “Full Disk Access” for Password Utility. Once this is done, when a sudo command is run in Terminal, Terminal will prompt for Touch ID instead of asking for the user’s password.
Token Status
The Password Utility displays users’ secure tokens and volume ownership status. A User with a secure token is required to unlock FileVault. Use Password Utility to select a user with a secure token to automatically unlock FileVault after a power failure or reboot.
Passwordless Authentication at Login Window
To enable passwordless authentication at the Login Window, macOS supports Smart Card login at both the FileVault login window and the standard macOS login window. There are multiple vendors for USB-based smart card security key that work well with macOS, including:
FEITIAN ePass FIDO2 FIDO U2F USB-C + NFC Security Key (K40) plus
Setup
Once you have the USB-C Smart Card Security Key, download and install the Feitian FEITIAN SK Manager Tool.
Open the application and insert the Security Key:
Click on the red “Click here” to continue.
Under Interfaces, de-select all but CCID and click Save.
Remove and insert the Security Key.
Select Applications on the left side of the Feitian window.
Select PIV
At the top of the window, set a PIN for your Security Key by selecting Change PIN.
At the top of the window, set a PIN reset key for your Security Key by selecting Change PUK.
At the top of the window, set a PIN reset key for your Security Key by selecting Change Management Key.
Under Slot, select Authentication (9a), and click Generate. Keep the default policy and click Next. Keep the Algorithm as ECC P-256 and self sign certificate, and name the certificate with your name or email address. Leave the expiration date as default.
Click Generate.
Click Back.
Under Slot, select Authentication (9d), and click Generate. Keep the default policy and click Next. Keep the Algorithm as ECC P-256 and self sign certificate, and name the certificate with your name or email address. Leave the expiration date as default.
Quit the application.
Unplug and plug in the Security Key. You will see a notification to allow smart card pairing notifications. Allow and then unplug and replug in the Security Key.
You should see a new notification to pair the Smart Card with your user account. Select Pair.
Click Pair in the notification and then click Pair:
Enter your local user password (using the hot key if you have set it up!) and select OK.
The smart card key is now set up. Log out and make sure your Security Key is inserted. You should see Enter PIN instead of password. Enter your PIN and press return. You will now log in without having to type your password.