Setting Up RFID Card Login for XCreds

Requirements

• Apple Silicon or Intel Mac
• CCID Compliant RFID Reader
• RFID Card

Overview

XCreds supports using any CCID reader to sign in with RFID cards and tags. When a card is tapped, the reader passes the RFID UID to XCreds at the login window. XCreds then looks up a user name and password associated with the RFID ID in the secure user database that has been set up before login. If the RFID UID is associated with a user and password, that user name and password is used to log in to the Mac. If it is a new account, the user account will be created and the user will be logged in. If the account exists and the password is valid, the user will be logged in with the password and the user keychain is unlocked.

Secure User Database

To log in to XCreds with an RFID card, the user account information must be imported into XCreds ahead of the login. Since the username and password are sensitive information, this information is encrypted. An ECC private key is created in the system keychain and it is used to encrypt the user information and save it to a file on the disk, accessible only by an administrator. Only the XCreds process and administrators have access to the key required to decrypt the secure user data. See more information on security used for this.

Installation Instructions

1. Install a fresh copy of macOS.
2. At the desktop, install XCreds.
3. Install configuration profile and approve it in system settings.
4. Plug in CCID reader and approve access to the accessory. Allowing accessory access can also be set in system settings or via MDM.

More information on RFID setup is available in the XCreds command line interface guide.

Creating RFID Users

Open Terminal and add RFID users by running the command below. Adjust fullname, username, password, and rfiduid as appropriate for each user. If an RFID UID is not recognized, it is logged to the log in /tmp (see the Logging section).

sudo /Applications/XCreds.app/Contents/MacOS/XCreds set-rfid-user --fullname "Timothy Perfitt" --username "tperfitt" --password "twocanoes" --rfiduid "048d77c2cb7a80"

Repeat this command for any additional users and the associated RFID cards that will be used to log in. There is an option to import a list of users and manage the user database. Run /Applications/XCreds.app/Contents/MacOS/XCreds -h to see the options.

There is also an option to import a list of users in a CSV file, and to view or remove RFID user records previously added to XCreds. See more information in the XCreds command line interface guide.

Testing

1. Restart the Mac.
2. At the login window, tap the RFID card to the RFID card reader.
3. Once logged in, launch the XCreds app and set to launch at login.
4. Put the Mac to sleep or lock the screen, and the Mac should fast-user-switch back to the XCreds login window.
5. Tap the RFID card to log back in to the account.

Important Configuration Profile Settings

• shouldSuppressLocalPasswordPrompt:true. XCreds normally prompts for a local password. This is not needed and this key prevents it.
• ccidSlotName: Feitian R502 Contactless Reader. This is the name of the reader. Since multiple readers or readers with multiple slots can be attached, the name of the reader must be specified. The name of the reader can be found in System Information under SmartCards in the top “Readers:” section. The name of any available readers is in the XCreds log as well (see the Logging section).
• shouldSwitchToLoginWindowWhenLocked:true. This setting will make the Mac switch to the login window from the lock screen. The XCreds app must be running in userspace to activate the switching.

Logging

The example configuration profile sets up debug logging. The XCreds login window logs to /tmp/xcreds/xcreds.log. It is helpful to turn on Remote Login in System Settings->Sharing and ssh into the test Mac. Look at the log with tail -F /tmp/xcreds/xcreds.log to see live output. Otherwise, the log can be viewed after logging in. The log in /tmp is deleted on each reboot.

There is also a user log in ~/Library/Logs/xcreds.log.