Skip to main content

Apple explains Touch ID in depth with latest iOS security document

In the latest release of its iOS Security document spotted by TechCrunch, Apple offers a number of details about the function and processes of the Touch ID fingerprint recognition system offered on its iPhone 5s. The document describes the Secure Enclave, “a coprocessor fabricated in the Apple A7 chip,” which manages safely matching active fingerprints read by Touch ID against registered fingerprints saved by the user. While much of how Touch ID behaves was revealed last fall when the iPhone 5s was introduced and through experience, the white page does list more specifics than have previously been made available…

According to Apple, a single registered fingerprint creates a 1 in 50,000 chance of a successful random match with someone else’s print.

Apple describes the Secure Enclave’s system for safely managing identities while keeping the data separate from the rest of the system through encrypted memory and a hardware random number generator.

Each Secure Enclave is provisioned during fabrication with its own UID (Unique ID) that is not accessible to other parts of the system and is not known to Apple. When the device starts up, an ephemeral key is created, tangled with its UID, and used to encrypt the Secure Enclave’s portion of the device’s memory space.

Additionally, data that is saved to the file system by the Secure Enclave is encrypted with a key tangled with the UID and an anti-replay counter.

Apple goes on to describe the role which the A7 plays in authorizing Touch ID:

Communication between the A7 and the Touch ID sensor takes place over a serial peripheral interface bus. The A7 forwards the data to the Secure Enclave but cannot read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is built into the Touch ID sensor and the Secure Enclave. The session key exchange uses AES key wrapping with both sides providing a random key that establishes the session key and uses AES-CCM transport encryption. 

As many Touch ID users have probably discovered, some instances require passcode use over Touch ID. The document points out exactly when Touch ID cannot be used and passcode input is required:

The passcode can always be used instead of Touch ID, and it’s still required under the following circumstances:
-iPhone 5s has just been turned on or restarted
-iPhone 5s has not been unlocked for more than 48 hours
-After five unsuccessful attempts to match a finger
-When setting up or enrolling new fingers with Touch ID
-iPhone 5s has received a remote lock command

You can read the full iOS Security document for information regarding app security, network security, and more here.

Also worth noting, Samsung announced its Galaxy S5 smartphone with its own fingerprint reader with developer access so we asked readers this morning if Apple should allow iOS developers the opportunity to take advantage of Touch ID.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. nwoodward95mac - 10 years ago

    And is samsung’s fingerprint sensor even secure? Seems that apple had made the touch id secure while samsung has it for fun.

  2. Well, I would not even mention the Samsung’s implementation of the fingerprint scanner in the same text with Touch ID. They use the old swiping technology, which was used in laptops ten years ago. And according to the early hands-on videos of Galaxy S5, its scanner works really badly…

  3. PMZanetti - 10 years ago

    That seems to spell it out, but I’d like to know why I am still prompted for my password in iTunes/App store than prompted to use Touch ID. I haven’t figured that out yet.

    • PMZanetti - 10 years ago

      …prompted more often than not, i should say.

      • Do you often restart your device?

      • It is either because you restart your device often, or because you don’t purchase anything on iTunes within 24 or 48 hours of typing in your iTunes password (This needs to be entered every 24 or 48 hours for the fingerprint to work and download stuff on iTunes). Hope this helps you understand, but I do agree with you and feel like we are prompted too often for iTunes password

    • Greg Kaplan (@kaplag) - 10 years ago

      I thought there is text that says enter your password or touch the touch id. I don’t have a new phone but isn’t that the cast? They have to still have the password option incase you are wearing gloves or having a hard time with touch id.

      • Greg Kaplan (@kaplag) - 10 years ago

        nvm. I just saw my friends phone and it comes up with a Use touch id thing with a button to take you to enter password. weird it doesn’t come up for you like that.

    • eromeo56 - 10 years ago

      I had the same problem when I first got my phone but have long figured it out. I had my settings all wrong. Go to General, into Restrictions On, set require password for 15 min (not on immediately) and you should be all set. Just enter your password once into iTunes and your touch ID should work from there on. Note if your phone shuts off you’ll have to enter your password again.

  4. Samir Shah - 10 years ago

    Take any path but do not announce it now. Why? Because you are going through a bad phase about security.

  5. Dan (@danmdan) - 10 years ago

    All I know about the Touch ID is that up to 50% of the times I try to use it my finger just does not get accepted; and so I have to go back to typing in a number code far too often.

Author

Avatar for Zac Hall Zac Hall

Zac covers Apple news, hosts the 9to5Mac Happy Hour podcast, and created SpaceExplored.com.