In the latest release of its iOS Security document spotted by TechCrunch, Apple offers a number of details about the function and processes of the Touch ID fingerprint recognition system offered on its iPhone 5s. The document describes the Secure Enclave, “a coprocessor fabricated in the Apple A7 chip,” which manages safely matching active fingerprints read by Touch ID against registered fingerprints saved by the user. While much of how Touch ID behaves was revealed last fall when the iPhone 5s was introduced and through experience, the white page does list more specifics than have previously been made available…

According to Apple, a single registered fingerprint creates a 1 in 50,000 chance of a successful random match with someone else’s print.

Apple describes the Secure Enclave’s system for safely managing identities while keeping the data separate from the rest of the system through encrypted memory and a hardware random number generator.

Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, tangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.

Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key tangled with the UID and an anti-replay counter.

Apple goes on to describe the role which the A7 plays in authorizing Touch ID:

Communication between the A7 and the Touch ID sensor takes place over a serial peripheral interface bus. The A7 forwards the data to the Secure Enclave but cannot read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is built into the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrapping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption. 

As many Touch ID users have probably discovered, some instances require passcode use over Touch ID. The document points out exactly when Touch ID cannot be used and passcode input is required:

The passcode can always be used instead of Touch ID, and it’s still required under the following circumstances:
-iPhone 5s has just been turned on or restarted
-iPhone 5s has not been unlocked for more than 48 hours
-After five unsuccessful attempts to match a finger
-When setting up or enrolling new fingers with Touch ID
-iPhone 5s has received a remote lock command

You can read the full iOS Security document for information regarding app security, network security, and more here.

Also worth noting, Samsung announced its Galaxy S5 smartphone with its own fingerprint reader with developer access so we asked readers this morning if Apple should allow iOS developers the opportunity to take advantage of Touch ID.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

11 Responses to “Apple explains Touch ID in depth with latest iOS security document”

  1. And is samsung’s fingerprint sensor even secure? Seems that apple had made the touch id secure while samsung has it for fun.

  2. Well, I would not even mention the Samsung’s implementation of the fingerprint scanner in the same text with Touch ID. They use the old swiping technology, which was used in laptops ten years ago. And according to the early hands-on videos of Galaxy S5, its scanner works really badly…

  3. PMZanetti says:

    That seems to spell it out, but I’d like to know why I am still prompted for my password in iTunes/App store than prompted to use Touch ID. I haven’t figured that out yet.

    • PMZanetti says:

      …prompted more often than not, i should say.

    • I thought there is text that says enter your password or touch the touch id. I don’t have a new phone but isn’t that the cast? They have to still have the password option incase you are wearing gloves or having a hard time with touch id.

    • eromeo56 says:

      I had the same problem when I first got my phone but have long figured it out. I had my settings all wrong. Go to General, into Restrictions On, set require password for 15 min (not on immediately) and you should be all set. Just enter your password once into iTunes and your touch ID should work from there on. Note if your phone shuts off you’ll have to enter your password again.

  4. Samir Shah says:

    Take any path but do not announce it now. Why? Because you are going through a bad phase about security.

  5. All I know about the Touch ID is that up to 50% of the times I try to use it my finger just does not get accepted; and so I have to go back to typing in a number code far too often.