I recently upgraded my 2 generation old Mac Book Pro to a new Retina Mac Book Pro and inadvertently found a way to increase security of the device. I thought it was originally a bug, but after discussing with several Apple Technicians, what I did, while inadvertently is by design. In essence, I added a secondary login screen to my Retina Mac Book Pro with each requiring a different set of credentials. But how did this happen and is it worth the extra layer of protection?
After receiving my new rMBP with 16GB of memory and a 768GB SSD, I thought about how I would move all my data from my older MBP with 8GB of memory, a 512GB internal SSD and 256GB external SSD. I had roughly 600GBs of data to move. Well Apple provides a very nice tool to migrate from one device to another and while I have upgraded devices in the past yet this was the first attempt at using it. With a little trepidation I began.
The rMBP booted fine and walked me through the steps, but when it got to the network was where I ran into the first problem. It could not find my wireless network, and this is normal as my office is quite a ways from wireless so I generally use a wired connection. Yet, the wired connection failed to work. This wired connection used the Apple Thunderbolt gigabit adapter and a cable that had worked in the past. Because of this I could not use the migrate feature until I first solved the networking issue. This meant I had to create a user on the rMBP that would allow me to solve the problem. The user I created was the same name I normally use on my devices.
After logging in, I discovered that the network was in 10MB half-duplex mode, and I just shook my head. I had seen this before with a modern Netgear gigabit switch and that problem was related to the cable, so I took out another cable from the cable box, plugged it in, and viola I have a gigabit full duplex connection.
Problem 1: Networking… Solved with replaced cable…
Next, I proceeded to migrate the user using the Apple Migration Assistant. I did not install anything else on the machine. However, since I was trying to migrate using the same username as I had previously created to fix the network issue, I was forced to use another username. And so the migration started and completed normally.
Now here is the funny thing that happened. I encrypted the volume as I normally do, then I logged out of the migration assistant user and in as my normal username. Everything worked as expected and all my data was there, so far so good. So I went in and deleted the migration assistant user. Eventually I rebooted the rMBP after I performed all upgrades (going to Mountain Lion is another post).
This is when I was faced with a new wrinkle in my migration. The username that appeared when I rebooted the rMBP was the migration user name. Once I typed in that password I was presented with a second login screen that represented the logins of my migrated system. This is when I started to be a bit concerned. While everything worked, I had two login screens, and while I am a security professional, I nor Apple have ever seen this before.
Problem 2: Login… Two Login Screens!
After calls with Apple that were not entirely fruitless, I let the problem percolate for a bit and moved on to other issues. This is when I realized what I had done. I had inadvertently created a not normal but fully supported secondary login to my rMBP. But how to get things back to normal. What did I do differently than I would not normally have done. My description above is missing some critical steps, so here they are:
- Create Migration User (I used the same password as my normal user)
- Fire up Migration Assistant and migrate old data to rMBP
- Encrypt the disk as the Migration User, which caused me to reboot a few times
- Login as the migration user
- Found I had to logout and log back in as my standard username (funny thing is that I received a different login screen but did not realize this)
- Deleted the migration user
- Setup Mail and other credentials for my normal users including licenses, etc.
- Updated MacOS on rMBP with latest patches
- Found I had two login screens
So the issue was that I encrypted the volume as ONE user and then as another administrative user deleted the user with which I previously encrypted the disk. You may notice if you use a remote monitor that the initial login screen for a MBP does not appear until after you have logged in to unlock the encrypted disk. This was the big clue and I was use to it as I did this for years. But that was the big clue. Since I used the same password as a matter of convenience I did not notice what was happening and thought there was a serious issue. There was not. I had discovered a way to encrypt the disk with a no longer registered but stored within the boot volume used to decrypt the disk. All in all a very cool way to add a bit more security to your MacBook Pro
Problem 2: Not a Problem but Opportunity, Some Extra Security
If you need slightly more security for your MacBook Pro this is one way to achieve it. Granted it is still something you know so would not qualify as a second factor, but if your passwords for the encrypted volume and normal users were significantly different, you may have something useful here. However, if the one a hacker discovered was the encrypted volume password all bets are off, access to the console gives access to everything. But if they hacked the wrong password, the data on your MBP would still be encrypted and the hacker would be on the wrong track. Perhaps we need to add another factor to decrypting the drive and that would complex things quite a bit.