How to Protect Sensitive Apps on Mac with Touch ID (Without Locking Your Whole Computer)
macOS has no built-in way to lock individual apps. Here's how to protect sensitive apps with Touch ID without locking your entire Mac.
macOS has no built-in mechanism to lock individual apps — the only native option is locking your entire Mac with a screensaver or sleep, which is all-or-nothing. If you want to protect specific sensitive apps (a banking app, your email, a password manager) while leaving everything else accessible, you need a third-party solution. Here's exactly how to do it, and what your options actually are.
Why macOS doesn't protect individual apps by default
Apple's security model is built around protecting the system and your data at rest — FileVault encrypts your disk, Gatekeeper controls what runs, and sandboxing limits what apps can do. But none of that stops someone who sits down at your unlocked Mac from opening 1Password, reading your emails, or checking your bank balance.
The assumption baked into macOS is that if you're at an unlocked Mac, you're an authorised user. That's fine for a single-person setup, but it falls apart the moment someone else can physically reach your keyboard — a family member, a coworker in a shared office, or anyone who walks past your desk while you're making coffee.
Screen Lock (the built-in option via System Settings → Lock Screen, or pressing ⌃⌘Q) locks everything at once. That's often overkill: you might want your kids to use the Mac freely but not be able to open your tax documents. You can't get that granularity from anything Apple ships.
What macOS Screen Time gets wrong for this use case
Screen Time (System Settings → Screen Time) lets you block apps entirely for managed users — but it's designed for parental controls with a separate managed account, not for protecting your own apps on your own account. It also uses a passcode rather than Touch ID, and it's clunky to configure for ad-hoc protection of individual apps.
More importantly: if you're on a single shared user account (which most families and coworking setups are), Screen Time's per-app limits don't give you the "require authentication to open" behaviour you're after. It can block apps by category or set time limits, but it won't prompt for Touch ID before someone opens your email.
The practical options for protecting individual apps
Option 1: Use separate macOS user accounts
The cleanest built-in solution is giving family members their own user account (System Settings → Users & Groups → Add Account). Each account has completely separate apps, files, and settings. Anyone without your login password cannot access your account.
This works well when people use the Mac at different times. It doesn't work well when you're already logged in and step away — your apps are all accessible to anyone who walks over. And switching accounts takes 15–30 seconds, which makes it impractical as a quick safeguard.
Option 2: Use a password manager's own lock feature
If it's specifically your password manager you're trying to protect, most of them (1Password, Bitwarden, Dashlane) have a built-in auto-lock setting that requires Touch ID or a master password after a timeout. Enable this in the app's own preferences before relying on anything else.
This is free and built-in — use it. The limitation is it only covers that one app, and the timeout means there's a window after you last used it where it's still unlocked.
Option 3: Lock individual apps with Touch ID using Lockish
For protecting any combination of apps — not just a password manager — Lockish adds a Touch ID lock layer to individual apps you choose. When someone tries to open a protected app, they see an overlay that hides the content completely and requires Touch ID, Face ID, or your device passcode before it disappears.
The setup takes about two minutes:
- Download Lockish and grant it Accessibility permission when prompted (required — this is how it detects app focus changes)
- Open the Lockish menu bar icon and click the + button
- Select any app you want to protect — your email client, banking app, notes, whatever
- Set an idle timeout per app (anywhere from 10 seconds to 60 minutes) — after that period of inactivity, the app auto-locks itself
Once an app is protected, Lockish locks it again automatically when your Mac sleeps or the screen locks, so you don't have to remember to lock it manually. If you're stepping away in a hurry, ⌘L triggers Lock All Now across every protected app at once.
A few things worth knowing: Lockish is convenience protection, not a cryptographic lock. Someone with admin access to your Mac could work around it. It's designed to protect against casual access — a family member, a coworker, or someone who finds your unlocked Mac — not a determined attacker. Don't use it as a substitute for FileVault (which you should have enabled regardless).
Lockish has a 7-day free trial so you can test it with your actual apps before buying. It's a one-time purchase — no subscription.
Which apps are worth protecting?
The most common ones, based on what people actually lock:
- Banking and finance apps — any app where someone could initiate a transfer or see account numbers
- Email clients — Mail, Spark, Mimestream — your inbox is a goldmine of sensitive information
- Password managers — even if the app has its own lock, a second layer doesn't hurt
- Notes apps — Apple Notes, Obsidian, Notion — people store surprisingly personal things here
- Messages and communication — iMessage, WhatsApp, Telegram
You don't need to lock everything. Lock the two or three apps where real damage could happen if someone opened them.
What about apps that don't support Touch ID natively?
Some apps — mostly communication and finance apps — have started adding their own Touch ID prompts. If an app already prompts for Touch ID on open, you may not need Lockish for it. Check the app's own security settings first.
For apps with no built-in lock (which is most of them), Lockish is the only option that adds Touch ID authentication without replacing the app itself.
Common questions
Does macOS have a built-in way to require Touch ID before opening an app?
No. macOS Touch ID is used for unlocking your Mac, approving sudo commands in Terminal, and authenticating in-app purchases. There's no native setting to require Touch ID before opening a specific app — that requires a third-party tool.
Will locking an app hide its contents from other apps like Mission Control or notifications?
Lockish hides the app's content behind a full lock overlay, so the window contents aren't visible on screen. Notifications from a locked app can still appear as banners depending on your notification settings — if that's a concern, set the app's notifications to "Alerts" style or turn off notification previews in System Settings → Notifications.
Does this work on a Mac without Touch ID (like an older Intel Mac with a separate keyboard)?
Lockish falls back to your macOS login password if Touch ID isn't available or fails. macOS 14+ is required, and the Mac needs to support biometric or passcode authentication. Most Macs from 2018 onwards with a Touch Bar, or any Mac running Sequoia with Apple Silicon, will work fine.