Fingerprint unlock no longer works under Big Sur

[volcs0]

Macbook Pro 16" 2019

Since installing Big Sur, fingerprint unlock no longer works.

Here is what I tried:

1. Deleting and re-adding fingerprint
2. Resetting SMC
3. Creating a new user and adding my fingerprint

Nothing works - I just have to use my password every time.

Everything worked fine until Catalina. It has never worked under Big Sur.

Thanks for the advice.

 

[nokoutdoc]

Same problem. MBA 2018 13" retina. just upgraded to Big Sur and every time I open my Mac, it asks for password. No option for fingerprint. I checked preferences - they are unchanged - fingerprint to unlock is still opt-in.

Answer found on Apple forum (at least for MBA with T2 chip): reset SMC. press and hold power button for 10 seconds. wait 10 seconds. Restart.

 

[volcs0]

Be careful. This is what happened when I tried to fix it:
https://www.reddit.com/r/mac/comments/jye9c0
Anyway, it's fixed now... :/

 

[mj_]

Another prime example of why one should never simply run random commands found on the internet as root without questioning them and their author's authority on the subject.

xartutil is a utility to remove session seeds from the T2 chip that are used for disk decryption/encryption. It clearly says so if you run xartutil --help. Note the numerous references to disks:

MacBook-Air:~ root# xartutil --help
Usage: xartutil [--help] [--erase-all | --erase-disk $BSDNAME] [--list]

xART recovery utility

OPTIONS:
        --list                     List all the sessions xART is aware of
        --erase-all                Erase all xART seeds
        --erase-disk     <BSDName> Erase session seeds for given disk name
        --erase          <UUID>    (testing only) Erase a session referenced by a UUID

EXAMPLES:
        Remove session seeds of disk1
            xartutil --erase-disk disk1
        Remove all entries from the directory
            xartutil --erase-all
        (testing only) Remove session seeds for given session UUID
            xartutil --erase 1852831A-12AD-3298-929E-3F222FB09E54

MacBook-Air:~ root#

In addition, the diskutil manpage contains one reference to XART being Apple's hardware security mechanism. These two pieces of information combined with the knowledge of how disk encryption on T2-enabled Macs actually works (on T2-enabled Macs, all disks are always encrypted by default with keys stored in the secure enclave portion of the T2 chip; enabling FileVault2 does not encrypt the disk itself but merely the keys required for decryption, which is why enabling/disabling full disk encryption on T2-enabled Macs is instantaneous) gives you the answer you could have probably used about a month ago: xartutil --erase-all will erase all disk decryption keys from your T2 chip for good, rendering those disks effectively useless because they can no longer be decrypted. It's the digital equivalent of locking all your belongings in the world's most secure unpickable safe, then throwing the only key into hot lava and the magma-coated melted remains into the Mariana trench.

I realize it's too late now but I just wanted to give you an idea of what exactly happened to your data.

 

[rizzi97]

Hi volcs0 I am a new user to this forum.
I use the command "xartutil --erase-all." on my T2 Mac and then I can't use my data.
I restore my MacBook Pro by formatting the SSD but the fingerprint issue remain.
In the case the issue is that my Touch ID doesn't scan the finger.

 

[volcs0]

Another prime example of why one should never simply run random commands found on the internet as root without questioning them and their author's authority on the subject.

xartutil is a utility to remove session seeds from the T2 chip that are used for disk decryption/encryption. It clearly says so if you run xartutil --help. Note the numerous references to disks:

MacBook-Air:~ root# xartutil --help
Usage: xartutil [--help] [--erase-all | --erase-disk $BSDNAME] [--list]

xART recovery utility

OPTIONS:
        --list                     List all the sessions xART is aware of
        --erase-all                Erase all xART seeds
        --erase-disk     <BSDName> Erase session seeds for given disk name
        --erase          <UUID>    (testing only) Erase a session referenced by a UUID

EXAMPLES:
        Remove session seeds of disk1
            xartutil --erase-disk disk1
        Remove all entries from the directory
            xartutil --erase-all
        (testing only) Remove session seeds for given session UUID
            xartutil --erase 1852831A-12AD-3298-929E-3F222FB09E54

MacBook-Air:~ root#

In addition, the diskutil manpage contains one reference to XART being Apple's hardware security mechanism. These two pieces of information combined with the knowledge of how disk encryption on T2-enabled Macs actually works (on T2-enabled Macs, all disks are always encrypted by default with keys stored in the secure enclave portion of the T2 chip; enabling FileVault2 does not encrypt the disk itself but merely the keys required for decryption, which is why enabling/disabling full disk encryption on T2-enabled Macs is instantaneous) gives you the answer you could have probably used about a month ago: xartutil --erase-all will erase all disk decryption keys from your T2 chip for good, rendering those disks effectively useless because they can no longer be decrypted. It's the digital equivalent of locking all your belongings in the world's most secure unpickable safe, then throwing the only key into hot lava and the magma-coated melted remains into the Mariana trench.

I realize it's too late now but I just wanted to give you an idea of what exactly happened to your data.

Thanks mj_ for the explanation. Agree with everything - usually when I find multiple corroborating sites, I feel pretty good about a solution, but in this case, I had a fundamental ignorance of how the new macs implement encryption. Lesson learned.
(problem solved, however, arguably, the hard way)

 

[Cruz3LT]

I havne't had any issues with my MBP and it reading my fingerprint.

 

[fredophil]

Hello I am having the same issue: Fingerprint unlock of the macos does not work under big sur, used to work well up to catalina. I have a macbook pro 2019.

Note that fingerprint works for other stuff besides unlock (I forgot what exactly). I see same results as user volcs0
Interested to have a solution.