Last week, following my article on how to recognise genuine dialogs requesting password entry, our discussion raised issues as to how easy the current dialogs are to fake, and several suggested improvements that could be made. It later struck me how this aspect of the Trusted User Interface was anticipated two millennia ago by the Roman poet Ovid in his Metamorphoses. Bear with me as I explain the insight he provides.

One of the stranger myths told by Ovid is that of Jupiter, the senior of the Olympian gods, and Semele, one of his many lovers. In this case, for once, their relationship appears to have been more consensual than others, but as usual she became pregnant and Jupiter’s wife (and half-sister) wanted a cruel revenge. She cast doubt in Semele’s mind that her lover really was the god, and convinced her that she had to challenge him to reveal himself in his full divine glory, to prove his identity.

The snag with this proposed revelation (and Juno’s sinister purpose) was that, as the god of thunderstorms, this required Jupiter to expose his lover to his thunderbolts, which would almost certainly kill her. But Semele wasn’t to be dissuaded, and the inevitable happened: despite bringing his weakest thunderbolts, she caught fire and died.

This is shown in Peter Paul Rubens’ oil sketch of The Death of Semele from about 1620. She is already in obvious distress with lightning striking her hands, as Jupiter grasps a small bundle of thunderbolts in his right hand.

The outcome is one of the most bizarre of all Ovid’s myths, as Jupiter then performs a caesarian section on the dying Semele to extract the foetus, and sews that into his thigh so he can continue the pregnancy as surrogate. When born at term, the infant turned out to be the god Bacchus.

Proving that it’s macOS making a genuine request for a password is similar to the dilemma faced by Jupiter.

The current dialog used for genuine requests for the password for a keychain doesn’t look that hard to fake. Shouldn’t macOS use something that’s almost impossible instead?

You can apply the same argument to almost anything presented in a dialog: if macOS can create it, then so could the malware developer forge it, whether it relies on composite icons, specific text content and layout, or even animations. To achieve something significantly more difficult, macOS would need to go beyond a mere dialog, perhaps to something like a shared secret: information that only you and macOS can know. One approach might be that used in two-factor authentication, where macOS might use a designated device to vouch for the authenticity of the password request.

Like Jupiter’s thunderbolts, that improvement in security would quickly prove catastrophic.

Instead of going for that revelation in full divine glory, macOS makes a working compromise. Looking at the password dialogs used by some of the more carefully crafted malware, the effort required to attempt close forgery of the standard macOS dialog is too great to make it worthwhile at present.

While Ovid anticipated this problem, he didn’t foresee its best solution with biometrics. On Macs with Touch ID support and an appropriate keyboard, in many cases (but not yet for keychain passwords) you may first see the prompt for biometric authentication using your fingerprint.

We do now have an alternative to the password dialog that macOS ensures no malicious software can forge, which doesn’t bring the dangers of Jupiter’s thunderbolts. Indeed, for those whose Macs support biometric authentication, it’s quicker and more convenient, as well as being far more secure. Perhaps a future version of macOS will go further in its use of Touch ID. Meanwhile, never forget the fate of Semele when implementing a Trusted User Interface.

I’m grateful to @_saagarjha for provoking this. For those interested in seeing more paintings of this myth, there will be a whole article devoted to it later this month.