---
title: "Announcing Touch ID for Santa"
description: "Santa now supports Touch ID verification before execution, so CEL rules can require a biometric check for sensitive operations like remote debugging."
doc_version: "1"
last_updated: "2026-05-22"
canonical: "https://northpole.security/blog/touchid-biometric-authorization"
---
[Back](https://northpole.security/blog)

Product • February 3, 2026 • By Pete Markowsky

![Announcing Touch ID for Santa](https://northpole.security/images/blog/touchid-biometric-authorization-hero.jpg)

![](https://northpole.security/images/home/divider-band-top.svg)

Touch ID verification before execution is [now available for Workshop customers](https://northpole.security/blog/santa-20261)! This feature gives security teams a middle ground between blocking and allowing binaries by enforcing human verification.

![Santa Touch ID dialog](https://northpole.security/images/blog/touchid-biometric-authorization/touchid-dialog.png)

## The Problem with Binary Choices

Traditional binary authorization offers two binary choices (pun intended): allow or block. But some applications need a middle ground. You might want Chrome to run normally for browsing, but you might need to require explicit user confirmation when it launches with unsafe options, such as allowing remote debugging. Or maybe you want to add a human confirmation to production commands, like `kubectl exec`.

Chrome’s remote debugging opens a control channel that other processes can exploit. Malware and phishing attacks have used this technique to inject scripts into authenticated browser sessions. Blocking Chrome entirely would break normal workflows. Allowing it unconditionally leaves a security gap.

Touch ID is useful because it requires an *intentional, physical presence check* from the user with a registered fingerprint. Now, Santa uses Touch ID verification to slow down malware attacks or stop them completely.

## How Touch ID Verification Works

Santa’s CEL policy engine [now supports](https://northpole.security/blog/santa-20261) `REQUIRE_TOUCHID` and `REQUIRE_TOUCHID_ONLY` return values. When a rule evaluates to `REQUIRE_TOUCHID` Santa’s dialog will appear as normal but instead of an “Open” button there will be an “Approve” button which, when pressed, will trigger a Touch ID authentication to allow the binary to continue execution. When a rule evaluates to `REQUIRE_TOUCHID_ONLY` Santa presents a Touch ID prompt instead of the usual block dialog. The binary only runs after the user confirms with their fingerprint.

A [CEL rule](https://northpole.dev/cookbook/cel/) can inspect execution context including command-line arguments, environment variables, and parent process information. This lets you build rules that require Touch ID only for specific usage patterns.

## Controlling AI Coding Agents

AI-assisted coding tools like Claude Code, Cursor, and Windsurf can execute code and interact with external systems. Many of these tools use browser automation via MCP servers like Playwright, which launches Chrome with the `--remote-debugging-port` flag.

A single Workshop rule can require Touch ID verification for this specific behavior:

```
args.exists(arg, arg.contains('--remote-debugging-port=')) ? REQUIRE_TOUCHID_ONLY : ALLOWLIST
```

This rule allows Chrome to run normally for everyday browsing. When any process launches Chrome with remote debugging enabled, the user must verify with Touch ID. The security team gains visibility and control without disrupting normal browser use.

![Chrome Touch ID rule in Workshop](https://northpole.security/images/blog/touchid-biometric-authorization/chrome-touchid-rule.png)

## Use Cases

Browser automation is a natural fit. Selenium, Puppeteer, Playwright, and similar tools launch browsers in debugging mode to control them programmatically. A Touch ID rule can require verification for these launches while letting normal browsing proceed uninterrupted.

Developer tools benefit from the same approach. You might want to gate specific compiler flags, build configurations, or deployment commands that touch production systems. The developer can still work, but sensitive operations require a fingerprint.

Internal tools and credential managers often need access control but not a full authentication ceremony. Touch ID verification provides a lightweight gate without forcing users through a separate login flow.

## Deploying Touch ID Rules

Touch ID rules require a [Workshop](https://northpole.security/) subscription and Santa 2026.1 or later. The feature works on any Mac with Touch ID hardware or an Apple Watch configured for authentication.

Rules are created in Workshop like any other CEL policy. Set the policy type to CEL and return `REQUIRE_TOUCHID_ONLY` for executions that should require verification. The custom message field lets you explain to users why verification is required.

![Workshop CEL rule configuration](https://northpole.security/images/blog/touchid-biometric-authorization/workshop-cel-rule.png)

You can also use the `require_touchid_with_cooldown_minutes(N)` rule, which requires Touch ID with a specified cooldown period, allowing future executions within that period without requiring extra authentication, similar to the `sudo` command. Additionally, the `require_touchid_only_with_cooldown_minutes(N)` rule does the same but skips the normal Santa dialog.

Touch ID verification results are logged as events, giving your security team visibility into when users authorize sensitive operations.

## Getting Started

If you’re using Workshop and your hosts are running Santa version 2026.1 or later, you can create Touch ID rules today! Agents on older versions will fall back to the default allow/block behavior based on your CEL rule’s fallback logic.

[Contact us](https://northpole.security/) to discuss how conditional verification can fit your security requirements.

Product Santa Workshop CEL

## You may also like

[

![Introducing AI Chat for Workshop](https://northpole.security/images/blog/introducing-ai-chat-for-workshop-hero.jpg)

Product • March 9, 2026

Introducing AI Chat for Workshop

Workshop now ships an AI chat that answers natural-language questions about hosts, rules, events, and policies. Bring your own LLM API key.



](https://northpole.security/blog/introducing-ai-chat-for-workshop)[

![Telemetry, Rebuilt](https://northpole.security/images/blog/telemetry-rebuilt-hero.jpg)

Product • March 4, 2026

Telemetry, Rebuilt

Export Santa’s incredible telemetry stream to Workshop and query it directly from the Workshop UI using regular SQL.



](https://northpole.security/blog/telemetry-rebuilt)[

![Announcing Santa 2026.4](https://northpole.security/images/blog/santa-2026.4-hero.jpg)

Releases • May 20, 2026

Announcing Santa 2026.4

Santa 2026.4 expands tamper resistance, changes clean sync semantics, adds silenceable device notifications, and continues security hardening.



](https://northpole.security/blog/santa-20264)

## Sitemap

- [Home](https://northpole.security/index.md)
- [Workshop](https://northpole.security/workshop.md)
- [Santa](https://northpole.security/santa.md)
- [Features](https://northpole.security/features.md)
- [Cookbook](https://northpole.security/cookbook.md)
- [Docs](https://northpole.security/docs.md)
- [Blog](https://northpole.security/blog.md)
- [Glossary](https://northpole.security/glossary.md)
- [About](https://northpole.security/about.md)
- [Contact](https://northpole.security/contact.md)