In the very rare event that the Trusona service is not available, below are the noted mechanisms that can be used to bypass Trusona by select authorized users. Note that this must be configured in each system noted below and is not a substitute for the Trusona service or a method to circumvent the Trusona implementation.
This section covers what you can do if your system software is damaged such that you are unable to login or startup. You basically have 3 options:
1. Force macOS to Rebuild the Authorization Database
If your Mac fails to startup or allow you to login because it is unable to authenticate, you can disable Trusona by forcing macOS to rebuild the authorization database.
For this technique you will use the command line to remove the auth.db database files that reside in /var/db/ on the Mac’s boot drive. At next reboot, the OS will detect that /var/db/auth.db does not exist and create a new /var/db/auth.db, using /System/Library/Security/authorization.plist as a template.
sudo rm /var/db/auth.db
In macOS Recovery mode the "auth.db" file may be inaccessible. You can use the technique below to unlock and mount it.
Use Terminal from Recovery mode
The exact terminal commands may vary somewhat based on your startup drive configuration. The default startup drive is named "Macintosh HD" so we will use that in the description below.
Helpful UNIX commands:
ls list the contents of the current working directory.
pwd show the file path of the current working directory.
cd <directory-path> change the current working directory.
rm remove the named file or directory.
You can search on-line for more detailed descriptions and options.
The basic strategy is to navigate to "/Volumes/Macintosh HD/var/db" and then remove "auth.db". When a file path name contains a space, you can enclose the path in quotes or use backslash '\' preceeding each space. In the steps below '#' is used to represent the UNIX command line prompt. The text that immediately follows is the UNIX command you should type.
Step by step guide
Restart your computer in Recovery mode. On Intel press and hold Cmd-R as your computer restarts. On Apple Silicon Macs (ASM) press and hold the power key as your computer restarts until you see "More startup options".
If FileVault is enabled, you will need a password to unlock the corresponding boot volume.
From Recovery mode select Utilities > Terminal from the top menu bar.
List the drives and volumes available
# diskutil list
Scroll through the listing to find the physical name of your startup volume. The volume may have a read-
only section and read-write section identified with a "- Data" suffix.
In this example "Macintosh HD - Data" is shown as "disk3s1". Your system will likely vary.
Unlock the volume. You may be prompted for your FileVault password.
# diskutil apfs unlock disk3s1
After unlocking you should see a confirmation message: "Unlocked and mounted APFS Volume"; or Volume already unlocked.
# cd "/Volumes/Macintosh HD" # pwd
Confirm you have found the correct boot volume as expected.
# cd var/db
Restart your computer.
# shutdown -r now
Your computer should startup normally and allow you to login based on Apple's default configuration.
Remote login via SSH
If Remote Login is enabled in System Preferences > Sharing a system administrator can login to your computer via SSH to uninstall Trusona.
At a terminal window type: sudo rm /var/db/auth.db
Restart your computer.
Unpair your mobile phone from your Mac
Follow steps 1-8 above for using Terminal from Recovery mode.
Navigate to Library/Application Support/Trusona
You might need to prefix this with /Volumes/<boot-volume> from the root of your internal drive.
List the contents of this directory with ls
# cd <USERNAME>
Remove the file named userCredential.trusona
Restart your computer.
Trusona authentication will require your password but will skip Trusonafication since your smartphone is
no longer registered with your Mac.
Startup from another drive volume or partition
Startup from a bootable backup if available. To startup from an external drive, you may need to use the Startup Security Utility in Recovery. If no bootable volume is available, from Recovery select Disk Utility to create a new APFS volume (Disk Utility -> Add APFS Volume). On older file systems you can create a new drive partition.
Install macOS on the new volume you created above.
During macOS install you will be asked to setup an administrator account with a username and password.
After macOS installation completes, login to your freshly installed system.
From here you can remove the damaged authorization database.
Referencing the drive volume that is unable to startup you can use the following UNIX commands:
# cd /Volumes/<VOLUME_NAME>/var/db
# sudo rm auth.db
Alternatively you can access or copy over files on your previous drive partition to rebuild a working system.
2. Restore from a backup if available.
To restore from a Time Machine backup you'll first need to re-install macOS and then use the Migration Assistant to transfer data from your Time Machine backup.
3. Salvage critical data and rebuild a working system.
We hope you never need these extreme techniques. We have documented them to reassure administrators they can work around even the most difficult problems.
See operating system instructions here: https://apple.stackexchange.com/questions/274032/backup-to-external-in-recovery-mode-terminal-or-time-machine