Secure and Convenient Keychain Access with Touch ID
Published: (January 6, 2026 at 08:01 AM EST)
2 min read
Source: Dev.to
Source: Dev.to
The Problem
When accessing passwords stored in macOS Keychain via the terminal, you face a security vs. convenience dilemma:
security find-generic-password -a "user@example.com" -s "myapp" -wmacOS shows a dialog:
“security” wants to use your confidential information stored in “myapp” in your keychain.
[Deny] [Allow] [Always Allow]
Option 1: Click “Allow” every time
- Requires typing your Mac password each time
- Secure but inconvenient
Option 2: Click “Always Allow”
- Any script can now access this password without authentication
- Convenient but insecure
The Solution: Touch ID Authentication
I created keychain-fingerprint, a CLI tool that uses Touch ID for Keychain access.
Benefits
| Aspect | Traditional (security) | keychain-fingerprint |
|---|---|---|
| Authentication | Mac password (slow) | Touch ID (instant) |
| Security | “Always Allow” = insecure | Always requires Touch ID |
| Convenience | Type password or allow all | One touch |
How It Works
┌─────────────────────────────────────────┐
│ keychain-fingerprint │
├─────────────────────────────────────────┤
│ 1. Touch ID authentication │
│ 2. Access Keychain (auto-authorized) │
└─────────────────────────────────────────┘
┌─────────────────────────────────────────┐
│ Other apps / terminal │
├─────────────────────────────────────────┤
│ Keychain access → Mac password prompt │
└─────────────────────────────────────────┘- This app: Can access items it created with Touch ID (auto‑authorized).
- Other apps: Still require the Mac password to access those items.
Installation
# Clone
git clone https://github.com/dss99911/keychain-fingerprint.git
cd keychain-fingerprint
# Compile
swiftc -o keychain-fingerprint main.swift \
-framework LocalAuthentication \
-framework Security
# Install (optional)
sudo cp keychain-fingerprint /usr/local/bin/Usage
Save a password
keychain-fingerprint set myapp user@example.com
# Touch ID prompt → Enter password (hidden)Retrieve a password
# Direct output
keychain-fingerprint get myapp user@example.com
# Recommended: capture in a variable
PASSWORD=$(keychain-fingerprint get myapp user@example.com)
echo "Password retrieved"
unset PASSWORD # Clear when doneList saved items
keychain-fingerprint listDelete a password
keychain-fingerprint delete myapp user@example.comSecurity Features
- All commands require Touch ID authentication.
- Passwords are stored encrypted in the macOS Keychain.
- Password input is hidden (no echo).
- Device‑only access (
kSecAttrAccessibleWhenUnlockedThisDeviceOnly). - Other apps still require the Mac password.
Requirements
- macOS with Touch ID (MacBook Pro/Air with Touch ID, or Apple Silicon Mac with Magic Keyboard with Touch ID).
- Xcode Command Line Tools.
Source Code
Full source code is available on GitHub: dss99911/keychain-fingerprint
Related
For an alternative approach using root permissions instead of Touch ID, see: How to always allow Mac keychain password only by specific app