--- title: "Require Touch ID for Browser Automation | Security Cookbook" description: "Require Touch ID verification when Chrome or other browsers launch with remote debugging, gating Playwright and AI tool automation without disrupting use." doc_version: "1" last_updated: "2026-05-22" canonical: "https://northpole.security/cookbook/require-touchid-browser-automation" --- [Back](https://northpole.security/cookbook) ### Idea AI coding tools like Claude Code, Cursor, and Windsurf often use browser automation via MCP servers like Playwright. These tools launch Chrome with the `--remote-debugging-port` flag, which opens a control channel that other processes can exploit. Remote debugging enables powerful automation capabilities, but it also creates security risks. Malware and phishing attacks have used this technique to inject scripts into authenticated browser sessions, stealing credentials or performing actions as the user. Rather than blocking browser automation entirely (which would break legitimate workflows) or allowing it unconditionally (which leaves a security gap), Touch ID verification provides a middle ground. Users must confirm with their fingerprint before the browser launches in debugging mode. This rule allows Chrome to run normally for everyday browsing. When any process launches Chrome with remote debugging enabled, the user must verify with Touch ID. Security teams gain visibility and control without disrupting normal browser use. ### Solutions ExecutionRequire Touch ID for Chrome Remote Debugging Prompt for Touch ID when Chrome launches with --remote-debugging-port Signing ID EQHXZ8M8AV:com.google.Chrome CEL Expression args.exists(arg, arg.contains('--remote-debugging-port=')) ? REQUIRE\_TOUCHID\_ONLY : ALLOWLIST Copy Custom Message Chrome is launching with remote debugging enabled. Verify with Touch ID to continue. ExecutionRequire Touch ID for Any Browser Remote Debugging Prompt for Touch ID when any Chromium-based browser launches with remote debugging Signing ID \* CEL Expression args.exists(arg, arg.contains('--remote-debugging-port=')) && (signing\_id.contains('com.google.Chrome') || signing\_id.contains('com.brave.Browser') || signing\_id.contains('com.microsoft.Edge') || signing\_id.contains('org.chromium.Chromium')) ? REQUIRE\_TOUCHID\_ONLY : ALLOWLIST Copy Custom Message Browser is launching with remote debugging enabled. Verify with Touch ID to continue. ExecutionRequire Touch ID for Playwright/Puppeteer Automation Broader rule that catches common automation patterns Signing ID EQHXZ8M8AV:com.google.Chrome CEL Expression args.exists(arg, arg.contains('--remote-debugging-port=') || arg.contains('--headless') || arg.contains('--disable-extensions') && args.exists(a, a.contains('--remote-debugging')) ) ? REQUIRE\_TOUCHID\_ONLY : ALLOWLIST Copy Custom Message Chrome is launching in automation mode. Verify with Touch ID to continue. ### Mitre Attack Tactics [Credential Access](https://attack.mitre.org/tactics/TA0006/)[Execution](https://attack.mitre.org/tactics/TA0002/) Techniques [T1539: Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539/)[T1059.007: JavaScript](https://attack.mitre.org/techniques/T1059/007/) ### Tags touchidbrowser-automationchromeplaywrightpuppeteerai-coding-toolsmcpremote-debugging ### Deployment Notes Touch ID rules require Santa 2026.1 or later. The feature works on any Mac with Touch ID hardware or an Apple Watch configured for authentication. Important considerations: - Agents on older Santa versions will fall back to ALLOWLIST behavior - Users without Touch ID hardware will need an alternative verification method - Consider combining with audit logging to track automation usage This rule is ideal for: - Organizations using AI coding assistants (Claude Code, Cursor, Windsurf) - Teams running browser automation for testing - Environments where browser debugging should be gated but not blocked ### False Positive Guidance This rule only triggers when browsers launch with remote debugging flags. Normal browser usage is unaffected. Scenarios that will trigger Touch ID: - AI coding tools using Playwright MCP server - Automated testing frameworks (Selenium, Puppeteer, Playwright) - Developer tools that control browsers programmatically - Browser extensions that require debugging access All of these are legitimate uses that the rule allows after Touch ID verification. ### Testing Instructions 1. Verify normal Chrome browsing works without Touch ID prompt: Open Chrome normally from Dock or Applications 2. Test that remote debugging triggers Touch ID: `/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --remote-debugging-port=9222` (Should prompt for Touch ID) 3. Test with an AI coding tool that uses Playwright: Run a Playwright automation - should prompt for Touch ID 4. Verify Touch ID approval allows execution: After approving with Touch ID, Chrome should launch with debugging enabled ### Detection Methods Monitor Touch ID verification events in Workshop to track browser automation usage: - Query: `event_type=Execution AND decision=REQUIRE_TOUCHID AND signing_id LIKE '%Chrome%'` This gives visibility into: - Which users are running browser automation - How frequently automation tools are used - Whether automation is happening outside expected hours or contexts ### Resources [Santa Touch ID DocumentationTake a look](https://northpole.dev/features/touchid-verification/)[Workshop CEL Rules GuideTake a look](https://docs.workshop.cloud/rules/cel/)[Chrome DevTools Protocol SecurityTake a look](https://chromedevtools.github.io/devtools-protocol/) ### Related Rules [ Execution ControlExecution #### Block DYLD Environment Variable Injection Block DYLD\_INSERT\_LIBRARIES and other dyld environment variables to prevent code injection into third-party macOS applications. ](https://northpole.security/cookbook/block-dyld-injection)[ Application HardeningFile Access #### Protect Electron Apps from Heap Snapshot Backdoors Restrict writes to Electron heap snapshot files to the app's own signed process, blocking the Trail of Bits backdoor against Slack and 1Password. ](https://northpole.security/cookbook/protect-electron-apps) ## Sitemap - [Home](https://northpole.security/index.md) - [Workshop](https://northpole.security/workshop.md) - [Santa](https://northpole.security/santa.md) - [Features](https://northpole.security/features.md) - [Cookbook](https://northpole.security/cookbook.md) - [Docs](https://northpole.security/docs.md) - [Blog](https://northpole.security/blog.md) - [Glossary](https://northpole.security/glossary.md) - [About](https://northpole.security/about.md) - [Contact](https://northpole.security/contact.md)