Hem Latest news Secure login to macOS using certificate based MFA and Net iD Client
News

Secure login to macOS using certificate based MFA and Net iD Client

Tech

Simple and secure login to macOS

Net iD Client used along with a smart card or YubiKey containing a PKI-certificate is a secure and convenient way to login to macOS 11 (Big Sur).

Please find the guide below which describes the steps needed to enable two factor login to your Mac with a smart card or a YubiKey.

Essentially, what will be achieved is to 

replace this:                           with this: 

       

2021-05-21

1. Preparations

1.1 Make sure all relevant root and intermediate certificates are installed

If certificates and the application "Keychain Access" are not familiar, this step can be a bit tricky. 

A short description:

  • If a certificate from EFOS is used, please add the corresponding root certificate and the IssuingCA certificate to "System" in the application "Keychain Access".
  • If a certificate from SITHS is used, please add the corresponding root certificate and the IssuingCA certificate to "System" in the application "Keychain Access".
  • If a certificate from the own CA is used, please add the corresponding root certificate and the IssuingCA certificate to "System" in the application "Keychain Access".

Make sure to open the root certificate and set "Trust" - "When using this certificate" to "Always Trust". After closing, the root certificate should be visible as white on light blue bottom.

Below is an example of how it can look like: 

1.2 Make sure a smart card or a YubiKey prepared with certificates is available

1.3 Install Net iD Client 1.0

Click "Install" and accept the license agreement.

Enter the credentials required.

Please wait for the installation to complete

As a result, the Net iD icon is available on the Desktop.

'

The Net iD Client Graphical User Interface

In the example below the certificate bearer device is a YubiKey.

 

 

2 Use the pairing guide

2.1 Insert smart card or YubiKey.

The "SMARTCARD PAIRING" dialog at top right of the screen should now be available.
Please click "Pair"

If there is more than one certificate to select from, select the one labeled "identification".
NOT the one for "signing".

Enter the password associated with the Mac.

Enter the PIN-code of the smart card or the YubiKey.

Finally, enter the password once again. 
This is the password for the "login" keychain. Normally it is the same as the password used for the Mac.

2 Use the pairing guide

2.1 Insert smart card or YubiKey.

The "SMARTCARD PAIRING" dialog at top right of the screen should now be available.
Please click "Pair"

If there is more than one certificate to select from, select the one labeled "identification".
NOT the one for "signing".

Enter the password associated with the Mac.

Enter the PIN-code of the smart card or the YubiKey.

Finally, enter the password once again. 
This is the password for the "login" keychain. Normally it is the same as the password used for the Mac.

Contact us

Do not hesitate to contact us so that we can tell you more about the solution.