2016 MBP w/ Touch Bar — no Touch ID for admin?

[jk73]

Maybe I'm still following outdated advice, but I always use a non-admin account as my main MBP user account and then have a separate administrator account that's only used for admin purposes — installing apps or updates, changing various preferences, etc.

Obviously, this requires typing in my admin name and password each time an admin account needs to approve something, which, admittedly, isn't all that often.

The new MBPs with Touch Bar seemingly could cut down on the typing, since an admin account could (theoretically) authenticate via Touch ID rather than by typing in the admin name and password. However, after a day with my new 2016 MBP, I see this isn't the case — if an admin needs to approve something, the only option is to type in the admin name and password; Touch ID can't be used, even if the admin's fingerprint has been registered. (The Touch Bar shows "Change user"; nothing happens if one tries to authenticate via Touch ID.)

Does the Touch ID implementation/protocol only allow one user account's fingerprint to be active at a time, or is it possible that Apple will add Touch ID as an option for when an admin's credentials are needed? This seems like an obvious feature, so I'm not sure if it's a limitation of the protocol, or if it just hasn't made it into the OS yet, since only a very small percentage of Mac users have a Touch Bar right now. Thanks.

 

[XSharp]

I have an admin account that uses my index finger for TouchID and my regular user account that uses my middle finger. When logged into regular account and I need to authenticate as admin I just use my index finger. This generally works well for me.

 

[SoyCapitanSoyCapitan]

Some older apps and utilities need to be updated to call up Touch ID.

There is always the risk that Simon Phoenix will chop of your hand and use it to log into your computer.

 

[XSharp]

Or secretly film you typing your password. Or put a knife to your throat and kindly request it. I'll keep my TochID.

Regarding software needing updating, I think TouchID will become quite useful in the next year or two.

There is always the risk that Simon Phoenix will chop of your hand and use it to log into your computer.

 

[Jaekae]

having 2 accounts for that purpose is pointless

 

[XSharp]

having 2 accounts for that purpose is pointless

Inefficient perhaps, but pointless? I agree that Apple should consider streamlining the procedure to authenticate as admin.

 

[jk73]

Thanks to all for the feedback.

I have an admin account that uses my index finger for TouchID and my regular user account that uses my middle finger. When logged into regular account and I need to authenticate as admin I just use my index finger. This generally works well for me.

Interesting. I used my index finger for both my main account and the admin account, but the few times I've needed an admin to authenticate something I've done in the OS, Touch ID hasn't been an option.

having 2 accounts for that purpose is pointless

Do you say this because of the low risk of Mac OS malware? I've been using a main account plus an admin account for years now; at one point here and elsewhere, it was considered a Mac OS best practice for people to maintain a separate admin account so that nothing vital could be installed, changed, etc., without explicit permission. Thanks.

 

[xraydoc]

Thanks to all for the feedback.



Interesting. I used my index finger for both my main account and the admin account, but the few times I've needed an admin to authenticate something I've done in the OS, Touch ID hasn't been an option.



Do you say this because of the low risk of Mac OS malware? I've been using a main account plus an admin account for years now; at one point here and elsewhere, it was considered a Mac OS best practice for people to maintain a separate admin account so that nothing vital could be installed, changed, etc., without explicit permission. Thanks.

While still 'best practice', it's definitely on the conservative side. Better safe than sorry I suppose, but there will be some hassles to put up with. I think not having the admin fingerprint available at all times will be one of them.

 

[jk73]

While still 'best practice', it's definitely on the conservative side. Better safe than sorry I suppose, but there will be some hassles to put up with. I think not having the admin fingerprint available at all times will be one of them.

OK. The bolded part goes back to my original question: Is there any (known) reason, from an OS or Touch ID security standpoint, an admin's Touch ID can't always be available when a non-admin user account is active? Whenever an admin dialogue box appears, it seems like the Touch ID should also become available, but maybe I'm missing something. One person above claims to be doing this already, but I haven't been able to replicate it myself. Thanks.

 

[xraydoc]

OK. The bolded part goes back to my original question: Is there any (known) reason, from an OS or Touch ID security standpoint, an admin's Touch ID can't always be available when a non-admin user account is active? If the admin dialogue box appears, it seems like the Touch ID should also be available, but maybe I'm missing something. One person above claims to be doing this already, but I haven't been able to replicate it myself. Thanks.

I know that other users' fingerprints can be used to engage fast user switching, but I didn't see anywhere where one could be used to authenticate a session while a different one is logged in.

With that said, even with my admin account, I can't use my fingerprint to authenticate the password request when editing certain admin-protected system preferences. I presume this is either by Apple's design or that some areas of the OS haven't been TouchID optimized. So I don't think it's a problem specific to you.

 

[jk73]

I know that other users' fingerprints can be used to engage fast user switching, but I didn't see anywhere where one could be used to authenticate a session while a different one is logged in.

The person who left comment #2 above seems to be saying he's able to do what I'd like to do — i.e., use Touch ID to authenticate as an admin while a non-admin user account is active.

With that said, even with my admin account, I can't use my fingerprint to authenticate the password request when editing certain admin-protected system preferences. I presume this is either by Apple's design or that some areas of the OS haven't been TouchID optimized. So I don't think it's a problem specific to you.

Given that only a tiny percentage of macOS users currently have a Touch Bar, I'm hoping the bolded part is the issue here. Thanks.

 

[trifero]

Maybe I'm still following outdated advice, but I always use a non-admin account as my main MBP user account and then have a separate administrator account that's only used for admin purposes — installing apps or updates, changing various preferences, etc.

Obviously, this requires typing in my admin name and password each time an admin account needs to approve something, which, admittedly, isn't all that often.

The new MBPs with Touch Bar seemingly could cut down on the typing, since an admin account could (theoretically) authenticate via Touch ID rather than by typing in the admin name and password. However, after a day with my new 2016 MBP, I see this isn't the case — if an admin needs to approve something, the only option is to type in the admin name and password; Touch ID can't be used, even if the admin's fingerprint has been registered. (The Touch Bar shows "Change user"; nothing happens if one tries to authenticate via Touch ID.)

Does the Touch ID implementation/protocol only allow one user account's fingerprint to be active at a time, or is it possible that Apple will add Touch ID as an option for when an admin's credentials are needed? This seems like an obvious feature, so I'm not sure if it's a limitation of the protocol, or if it just hasn't made it into the OS yet, since only a very small percentage of Mac users have a Touch Bar right now. Thanks.

Im also so ****ing dissappointed. In my usual use, i have to type the admin account and password many times a day.

Even, I use a clipboard manager and have habilltated the use in the password tab, so i can paste it.

Very dissapointed.

 

[Howard2k]

having 2 accounts for that purpose is pointless

Are you sure?

If the purpose of having two accounts is to try to limit the possibility of credential escalation by rogue software, given that the software runs in the context of the user? Then isn't running a user account with limited access more secure than running a user account with admin privileges and allowing the rogue software to impersonate an admin vs a regular user?