KeyChain MFA Toolkit – 5 Developer


What Is The KeyChain MFA Toolkit?
The KeyChain MFA Toolkit allow users to login with a private PIN and a KeyChain device plugged into the USB port, instead of their username and password. Usernames and passwords are not deprecated. Users must have usernames and passwords. With the ToolKit, user must also have a PIN. The PIN must match with their hidden, encrypted token on a KeyChain device. If the device is not present, then the username and password will be required.

FileMaker allows a solution to save a single user’s Filemaker account and password to any computer. Once saved, opening that solution no longer requires either the username or password to unfettered access. Thus, the solution is protected only by the operating system username and login. If user does not log out of their computer, or they have the operating system logging them in automatically, it leaves the solution wide open to anyone.

This is an enormous security deficiency for FileMaker!

With the KeyChain MFA Toolkit, no longer will usernames and passwords be saved on a computer for such cavalier access. Layered on top of FileMaker accounts are PINs and hardware KeyChains. Using the PIN with the KeyChain (or with the FileMaker username and password if they KeyChain is not available) creates multi-factor authentication; the PIN (known only to the user) is linked to the encrypted token on the KeyChain (hidden within the solution’s User table). If the PIN is supplied, but the KeyChain unavailable, then the user must supply their username and password for successful login.

Continue Shopping SKU: KCMFATK5 Category:


Welcome to the KeyChain MFA Toolkit v 1.0
KeyChain MFA ToolKit v 1.00
©2021 Ron Smith MD.
All Rights Reserved.

Introduction. The KeyChain MFA Toolkit is provided as is with no warranty. Because it is a toolkit of FileMaker® scripts and other database structures, and not a self-contained, fully purposed solution, you agree to hold me harmless for any and all liability related to its use in whole or part.

This Toolkit is intended to be used so that you can build your solution on top of the scripts which manage FileMaker Security accounts. How and where you implement these scripts within your solution is entirely up to you.

Since it is an open database, I strongly recommend you study its structure, scripts, and documentation carefully before transferring and implementing my scripts into an existing solution. There is less to be done if you are using the Toolkit as a starter for a new project. Please READ THE DOCUMENTATION THOROUGHLY! ll try to provide support, but because the entire Toolkit is open, a developer can do much of their own solution debugging and customization.

This Toolkit was developed as an alternative to external authentication which requires FileMaker to depend on another server for user entry into a solution. My own FileMaker development started with version 1 in 1985, and for the last twenty years, my EMR (Electronic Medical Records) solution has been using self-contained authentication. I do not like web-based EMRs, and our server is on our premises where we do not rely on the internet for production. Your application may be different, of course, and the Toolkit may not be appropriate.

A distinct advantage of the Toolkit over external authentication is in the expansive nature of in-solution authorizations. For example, the privilege group for our nurses is the same, but each nurse user has a deeper level of authorizations. A handful are allowed to generate and print prescriptions. This protects those nurses who don’t have prescription authorization from accusations of prescribing fraud. This is no small thing in medicine. Your solution will dictate what that deeper level of authorization entails, but the fact that User authentication is present in the solution, and not external to it, gives you wide development latitude.

Requirements. The only developer requirement is that you leave the copyright notices in the scripts as they are. I strongly suggest that you add notes about your customizations just below that in case you come back to revisit the scripting.

License. The initial Developer and Admin passwords are different for the 1 Developer, 5 Developer, and 10 Developer license. Licenses may NOT be transferred.

This is a LIFETIME license. I have no intention of charging for upgrades, and developers who use the Toolkit can feel free to contribute by sending me their updated version. I welcome feedback, suggestions, and script updates. After so many years of extensive FileMaker development, this is my way of giving back to the FileMaker community. There is no license activation or verification. The pricing seems reasonable and is NOT subscription based (something I hate personally). If you share the Toolkit outside of your license, I have no way to know or prevent that. However, I can only offer support to developers that I know purchased the Toolkit, which is only fair.

KeyChain Devices. The scripts themselves do not dictate what kind of USB device you use for your KeyChain. The particular device shown in the documentation is NOT an endorsement, but rather my choice for my office. Your needs and preferences need to dictate the device you choose.

Required Plugins. These scripts depend on the Troi File and Encryptor plugins. I have used almost all of their software for many years, and am pleased with it. However, I am unable to distribute my developer license with the Toolkit per their license requirements. You must purchase your own license for these two plugins at

Once you purchase the license and download their plugins, you should only need to enter your license in the Plugins table. This table does not require the presence of the license when you open it as Developer, but they are required for Users in the users table who open your solution containing the Toolkit routines and using KeyChain devices for authentication.

A Note About Windows. I’m first and only a Macintosh user. I have never developed under Windows. There are certainly possible improvements for that platform and your input is welcome.

In particular, there is an issue between Windows and Macintosh regarding the ejection versus unmounting of KeyChains. This relates directly to Apple’s APFS file system.

When a KeyChain is inserted and read by the Toolkit scripts, the Troi File plugin UNMOUNTS the volume. If the volume is not an APSF volume, then it appears that the KeyChain is ejected instead. I suspect this behavior is similar to Windows, and Windows is agnostic to APFS volumes, or so it appears at present.

An APFS volume affords the convenience of not having to re-insert the device if the user quits the FileMaker solution. I think this is because of the container structure in APFS. Re-mounting is done through a Troi File plugin SHELL function, and not a FileMaker directly.

On Macintosh, this is ‘diskutil mount KeyChain’ terminal application command line. I do not know how this would be done on Windows. I only have a virtual copy of Windows on my development laptop, so I can’t really explore this. FileMaker developers who work on Windows will, I hope, provide improvements and guidance to the Toolkit for that platform.

At present, Troi plugins do not work on Linux.