Use your phone's fingerprint to authenticate on any Mac.
sudo, screensaver, App Store — no $199 Magic Keyboard required.
Works with iPhone · Android · Apple Watch · Wear OS · Any browser
Try it in 60 seconds • How It Works • Devices • Security
touchbridge.mp4
Apple charges extra for Touch ID on every Mac that has it.
Mac Mini, Mac Studio, Mac Pro — no fingerprint sensor at all. The MacBook Neo — Apple's newest MacBook — ships without Touch ID on the base model (pay $100 more for the version that adds it back). iMac? Touch ID only if you pay for the upgraded keyboard.
Every time you run sudo, install an app, or unlock your screen — you type your password. Over and over. All day.
Apple's fix? Pay more. $100 extra for the MacBook Neo with Touch ID. $199+ for a Magic Keyboard with Touch ID. Or upgrade to the pricier iMac keyboard variant. Every time, Apple charges a premium for a fingerprint sensor that your phone already has.
TouchBridge fixes this — for free. Use the fingerprint or face sensor already in your pocket. iPhone, Android, Apple Watch, or any phone with a browser. No extra hardware. No premium upgrade. No cloud. No subscription.
$ sudo echo hello
→ Phone buzzes
→ Touch fingerprint (or tap Watch, or tap browser)
→ ✓ Authenticated
No phone needed. Test the full sudo flow right now:
brew tap HMAKT99/touchbridge
brew install --cask touchbridgegit clone https://github.com/HMAKT99/UnTouchID.git
cd UnTouchID
cd daemon && swift build -c release && cd ..
make -C pam
sudo bash scripts/install.sh
# Terminal 1 — start daemon in simulator mode
touchbridged serve --simulator
# Terminal 2 — test sudo
sudo echo 'It works!'
# → TouchBridge: check your phone or watch...
# → TouchBridge: ✓ authenticated
# → It works!That's it. Undo anytime with sudo bash scripts/uninstall.sh.
| Device | How | Auth Method | App Required? |
|---|---|---|---|
| iPhone | BLE → Face ID / Touch ID | Secure Enclave signing | iOS app |
| Android phone | BLE → Fingerprint / Face | Keystore (StrongBox/TEE) | Android app |
| Apple Watch | iPhone relay → Tap to approve | iPhone Secure Enclave | watchOS app |
| Wear OS watch | Phone relay → Tap to approve | Phone Keystore | Wear OS app |
| Any phone/laptop | Open URL → Tap Approve | One-time token | No — just a browser |
| No device | Simulator → Auto-approve | Software keys | No |
Security note: BLE modes (iPhone, Android, Watch) use encrypted Bluetooth with ECDH session keys and AES-256-GCM — no Wi-Fi or network involved. The web companion uses HTTP on your local network and is meant for testing and convenience only — not recommended for public/untrusted networks.
Option A — iPhone (Face ID) — recommended for security:
Open companion/TouchBridge.xcodeproj in Xcode → Build → Run on iPhone → Pair
Uses encrypted BLE + Secure Enclave signing. No network involved.
Option B — Android (Fingerprint):
Open companion-android/ in Android Studio → Build → Install → Pair
Uses encrypted BLE + Keystore (StrongBox/TEE) signing. No network involved.
Option C — Apple Watch (Tap):
Build the watchOS target from companion/TouchBridge.xcodeproj
Challenges relay from iPhone → Watch → tap Approve
Option D — Wear OS (Tap):
Open companion-android/wear/ in Android Studio → Build → Install on watch
Challenges relay from Android phone → Watch → tap Approve
Option E — Any phone, no app install (convenience/testing only):
touchbridged serve --web
sudo echo test
# → Terminal shows a URL → open on any phone → tap Approve┌──────────────┐ BLE / Wi-Fi ┌──────────────┐
│ │ ──── challenge (nonce) ───→ │ │
│ Your Mac │ │ Your Phone │
│ │ ←── signed response ────── │ or Watch │
│ (daemon) │ │ or Browser │
│ │ ECDSA P-256 signature │ │
└──────────────┘ verified on Mac └──────────────┘
↑
│ Unix socket
┌──────────────┐
│ sudo / PAM │
└──────────────┘
- You run
sudo→ PAM loadspam_touchbridge.so - PAM module connects to daemon via Unix socket
- Daemon sends 32-byte random nonce to your device
- Device prompts biometric (Face ID / fingerprint / tap)
- Device's secure hardware signs the nonce (private key never leaves chip)
- Daemon verifies signature →
sudoproceeds - If device is unreachable → falls through to normal password prompt
| Action | Status | Notes |
|---|---|---|
sudo commands |
✅ Verified | PAM module — tested on real hardware |
| Screensaver unlock | ✅ Ready | PAM module |
| App Store purchases | 🔧 Planned | Authorization Plugin (code written) |
| System Settings auth | 🔧 Planned | Authorization Plugin |
| WebAuthn / Passkeys | ✅ Ready | Browser extension |
| Lock when phone walks away | ✅ Ready | --auto-lock flag |
| Audit log | ✅ Ready | touchbridge-test logs |
| Per-action policy | ✅ Ready | touchbridge-test config |
| Limitation | Why |
|---|---|
| Apple Pay | Dedicated hardware — impossible |
| FileVault unlock | Before macOS boots — no daemon |
| Login screen | Daemon starts after login |
| Keychain biometric items | Hardware crypto wall — impossible |
| 1Password/Bitwarden biometric | SIP sandbox — can't intercept |
Apple's built-in Passkeys already use Face ID on your iPhone to log into websites. So why TouchBridge?
Passkeys replace your website passwords. TouchBridge replaces your Mac password.
| Apple Passkeys (built-in) | TouchBridge | |
|---|---|---|
| What it does | Log into websites (Gmail, GitHub, etc.) | Authenticate on macOS (sudo, screensaver, App Store) |
| Where it works | Safari/Chrome — websites that support Passkeys | Terminal, lock screen, system dialogs, any sudo command |
Can it do sudo? |
❌ No | ✅ Yes |
| Can it unlock screensaver? | ❌ No | ✅ Yes |
| Can it do App Store? | ❌ No | ✅ Yes |
| Can it do website login? | ✅ Yes | Passkeys only (via browser extension) |
| How it connects | Scan QR code each time | Auto-connects via BLE (pair once) |
| Android support | ❌ No | ✅ Yes |
| Works offline | ❌ Needs website | ✅ Local BLE |
They're complementary — you'd use both. Passkeys for the web. TouchBridge for your Mac.
| TouchBridge | Magic Keyboard | Apple Watch | YubiKey Bio | Duo Security | |
|---|---|---|---|---|---|
| Price | Free | $199-$299 | $249+ | $80+ | $3-9/user/mo |
| sudo | ✅ | ✅ | ❌ | ✅ | ✅ |
| Biometric | ✅ Face ID/FP | ✅ Fingerprint | ❌ Wrist only | ✅ Fingerprint | ❌ Tap only |
| Wireless | ✅ BLE | ❌ Wired only | ✅ | ❌ USB | ✅ Cloud |
| Works at coffee shop | ✅ | ❌ | Sleep only | ✅ | ✅ |
| Android support | ✅ | ❌ | ❌ | ❌ | ✅ |
| No extra hardware | ✅ Use your phone | ❌ $199 keyboard | ❌ $249 watch | ❌ $80 key | ✅ |
| No cloud/internet | ✅ Local BLE | ✅ | ✅ | ✅ | ❌ Cloud required |
| Open source | ✅ | ❌ | ❌ | ❌ | ❌ |
| Auto-lock on walk away | ✅ | ❌ | ❌ | ❌ | ❌ |
| Audit log | ✅ | ❌ | ❌ | ❌ | ✅ |
For MacBook Neo users: Magic Keyboard is not portable. YubiKey is another thing to carry. Apple Watch can't do sudo. Duo needs internet. TouchBridge uses the phone already in your pocket.
| Mode | Command | Use case |
|---|---|---|
| Production | touchbridged serve |
iPhone/Android via BLE |
| Web | touchbridged serve --web |
Any phone via browser |
| Simulator | touchbridged serve --simulator |
Testing, CI, demos |
| Interactive | touchbridged serve --interactive |
Terminal approve/deny |
| Auto-lock | touchbridged serve --auto-lock |
Lock when phone leaves |
Flags can be combined: touchbridged serve --web --auto-lock
touchbridge-test config show # view policy
touchbridge-test config set --surface sudo --mode biometric_required
touchbridge-test config set --surface screensaver --mode proximity_session --ttl 30
touchbridge-test config reset # restore defaults
touchbridge-test logs # recent auth events
touchbridge-test logs --summary # analytics dashboard
touchbridge-test logs --failures # failed attempts only
touchbridge-test logs --export csv # export for security reviewAny Mac running macOS 13+ (Ventura or later):
| Mac | Why you need TouchBridge |
|---|---|
| MacBook Neo (base model) | No Touch ID — pay $100 more for the version that has it |
| Mac Mini M1/M2/M3/M4 | No Touch ID — desktop, no keyboard sensor |
| Mac Studio M1/M2/M4 | No Touch ID — pro desktop |
| Mac Pro M2/M4 Ultra | No Touch ID — workstation |
| iMac (base keyboard) | No Touch ID unless you buy the $199 keyboard |
| Any MacBook with broken sensor | Sensor failure — repair costs $300+ |
| Intel Macs with T2 (2018-2020) | Works with Secure Enclave on Mac side |
Apple launched the MacBook Neo — their newest MacBook. The base model ships without Touch ID. Want it? Pay $100 more for the higher-end version. Same pattern as always — Apple charges extra for biometric auth.
Millions of base-model MacBook Neo users now have no fingerprint sensor. They can't carry a Magic Keyboard to a coffee shop. Apple Watch only handles sleep/wake. TouchBridge is the answer — your phone is already in your pocket. For free.
Private keys never leave Secure Enclave (iPhone) / StrongBox (Android). 32-byte nonces, 10s expiry, replay protection, AES-256-GCM encrypted BLE. Full threat model: SECURITY.md
| Component | Language |
|---|---|
touchbridged |
Swift |
pam_touchbridge.so |
C (arm64 + x86_64) |
| iOS + watchOS app | Swift / SwiftUI |
| Android + Wear OS app | Kotlin / Compose |
| Web companion | Built into daemon |
touchbridge-test |
Swift CLI |
91 tests — crypto, socket server, PAM integration, E2E pipeline.
sudo bash scripts/uninstall.shCONTRIBUTING.md — PRs welcome.
Apple ships Macs without Touch ID and charges $199 for the fix. The Apple Watch can only unlock from sleep. Duo requires cloud servers and enterprise pricing. YubiKey Bio costs $80 and is another thing to lose.
TouchBridge is the missing piece: use the biometric sensor you already carry — your phone — to authenticate on your Mac. Local, private, free, open source.
When the MacBook Neo ships without Touch ID, this is what people will need.
Stop typing your password. Use your fingerprint.
Get started in 60 seconds →