2

I noticed that the app requires the user to enter their computer password when trying to access passwords in the Orion settings. This seems highly inappropriate because it encourages users to provide their computer password to a third party application. When Safari, or other Apple products does this, it seems more reasonable because it is an Apple computer, so any Apple app may already (presumably) be able to access this either directly or indirectly based on Apple-created permissions.

However, Kagi is a third party, and therefore no user should ever provide their computer password to a third party. Users should not be conditioned to provide passwords to a third party application in this manner.

Apps like Firefox (and others) address this by allowing the user the option to provide a Primary Password in which the browser will then require that in order to unlock your passwords. In this case, it is likely a separate password that would not provide the browser with a password that has alternative access, such as the user password which could be used by a program to either compromise a computer or elevate permissions without the user knowing.

    Third party apps will often request system password to unlock the iCloud keychain or for system permissions. This is a normal behaviour in my experience. Since Orion stores passwords in iCloud, this permission is requested to unlock the keychain.

    There's even an Apple Support document on this subject: https://support.apple.com/en-ca/guide/mac-help/kychn002/mac

    No one is typing