Best mandatory two factor authentication for every Mac login?

[smileman]

I would like to setup a 2FA prompt for every time I startup my iMac, which is in a shared workspace. This would prevent someone who has my password from starting-up my iMac, decrypting FileVault, and logging in to my machine.

I'm surprised at how hard it is to find a 2FA login solution. Does MacOs prevent the use of 2FA after startup because only a password can be used to decrypt FileVault?

I prefer to shut down my machine when I leave the office so that my hard drive is encrypted, so just leaving it running at the login prompt is not a good solution for me.

My preferred solution would be to add a 2FA code to my Google Authenticator app on my iPhone. I did discover something called SAASPASS that looks like it may offer what I am looking for? Is a Yubikey an option? Pros/cons of different solutions?

I'm surprised 2FA for FileVault isn't an option that's already baked into MacOS given Apple's growing security orientation, or more widely requested. Any thoughts on why?

I'm willing to pay a modest sum for this security, but free would be preferable.

Thanks.

 

[Weaselboy]

https://www.yubico.com/2016/09/yubikey-smart-card-support-for-macos-sierra-2/

Yeah... I think Yubikey is going to be your best option. Because of the way the boot process work under FileVault, I don't see how any software solution could possibly work.

 

[smileman]

https://www.yubico.com/2016/09/yubikey-smart-card-support-for-macos-sierra-2/

Yeah... I think Yubikey is going to be your best option. Because of the way the boot process work under FileVault, I don't see how any software solution could possibly work.

Here is an interesting read on how to disable YubiKey as a second factor on a Mac:

https://vcsjones.com/2016/01/21/regaining-access-to-os-x-after-a-lost-yubikey/

If someone knows this trick and they have your login password then the YubiKey is worthless? Or am I missing something?

 

[cynics]

Maybe change the password daily/weekly/monthly or whatever is an option?

If you tell Siri "Wolfram password" you'll get a random password. Screen shot it, then change it using the screen shot (so you know you have it saved).

This is a difficult problem for 3rd party apps to handle with the drive encrypted. This is a fairly rare topic though, if I feel my password is compromised I just change it and try to prevent it from happening again.

If spying is an issue I recommend a password that is very long (31 characters is probably the max, it is with iCloud anyway) and make it something strange that you can type lightning fast. That way its too complex for someone looking over your shoulder. I have a desk with a slide out keyboard, I would keep it slid in while entering my password so my hands and keyboard were completely hidden.

 

[chown33]

Here is an interesting read on how to disable YubiKey as a second factor on a Mac:

https://vcsjones.com/2016/01/21/regaining-access-to-os-x-after-a-lost-yubikey/

If someone knows this trick and they have your login password then the YubiKey is worthless? Or am I missing something?

Setting a firmware password would prevent booting into Recovery mode (sans password).
https://support.apple.com/en-us/HT204455

There's a bypass for older Macs.

Search terms:
mac firmware password
mac firmware password bypass

 

[dyn]

If someone knows this trick and they have your login password then the YubiKey is worthless? Or am I missing something?

If this trick works on your machine then you have bigger issues. It means you don't have an encrypted disk and thus anything that you use as a second factor is completely worthless. The attacker can simply use recovery mode to read the entire contents and copy data off of it. The way to prevent this is by enabling Filevault which will encrypt the entire disk. The attacker would then also need to have the password in order to decrypt the disk first.

Mind you, the Filevault password is the same as your user account! These are 2 similar things; in reality it is something like a single sign on function where it will first use the password to unlock the Filevault disk and then send it to log into your user account. If you set the option to destroy the Filevault key in memory after being in standby for x minutes you will need to enter your password twice: 1 for Filevault unlock and 1 for login.
There is a way of doing this differently by setting up a separate user that is only allowed to unlock the Filevault disk. Your own user account would not have these rights but will have the right to log into the machine (which the other account obviously doesn't have if you are doing it right). This way you have separation of the Filevault password and user account password.

It is also a very good idea to set a firmware password (which also needs to be different from the Filevault/user account). Whenever you need to boot off of something it will require entering this password (there are exceptions such as nvram and smc reset which are simply not allowed; you need to unset the firmware password for those, you can set it back after you're done).

The YubiKey will always be tied to your user account and not to Filevault or the firmware password. The link given by @Weaselboy is not the right link for what you're after. That link only describes the use of the YubiKey as a smartcard which allows you to login with a PIN instead of a password. It will NOT require the YubiKey to be present at login or when unlocking the Mac. For that you need to following the guide mentioned here (which you can combine with the one for the smartcard): https://www.yubico.com/support/knowledge-base/categories/articles/yubikey-mac-os-x-login-guide/
Make very sure you have the YubiKey added to your user account! If not then you will not be able to log in again and you need to follow the aforementioned trick in order to disable it.