Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple evaluating expanding Secure Enclave protections for multiple users

Apple's current T2 security processor

Last updated

Apple is researching ways to allow multiple users to benefit from Touch ID, or similar biometric systems, while keeping the protection of the current secure enclave.

Apple's T2 security processor is based around a secure enclave which stores biometric data about a user. Whether that user is unlocking their Mac, or making a purchase, the secure enclave is asked to confirm that they are who they say they are.

Without divulging any of the stored data, the T2 processor can confirm or deny a request. So the Mac or the retailer has the certainty they need to proceed, without the user's privacy being compromised.

This works very well for individual users, but it becomes more complex when multiple people want to access the same Mac, or other system, to do different things. Unlocking for one user could mean letting them access the whole machine, while unlocking for another might limit them to their own user account and a subset of the possible features.

It doesn't actually sound as if it could be that much more difficult, but newly-revealed patent application "Provision of Domains in Secure Enclave to Support Multiple Users," shows that it is. Rather than just being a case of the secure enclave comparing, say, a finger print to any of those previously stored, there are complicated issues around these levels of access.

The patent application is therefore concerned less with how the biometric data is physically stored, or just how many different people can have their fingerprint recognized. It's more about questions over who is allowed to do what. "When group encryption is enabled, adding a new member to a group may require authorization to be explicitly provided by an existing member of the group," it says.

"To enable multi-user access to the data processing system, group keys can be created, such that via membership within a group on the system (e.g., administrators, users, etc.) can enable different levels of access to the system," continues Apple.

It would be easier to just have a passcode that you tell people, but that wouldn't bring anything close to the level of security that Apple believes is required.

"Computing devices can employ passcode protection to protect data stored on the device," says the patent application. "The computing device can prevent unauthorized access to stored data using protection mechanisms in including presenting a login screen that requires a user to provide a user name/password combination and/or a numeric or alphanumeric passcode."

"However, it may still be possible to gain access to data stored on the computing system without knowledge of a username/password or passcode if the data is stored in an unencrypted manner," continues Apple. "A malicious attacker may be able to extract data directly from the memory. If the attacker has physical access to the computing system, the attacker can remove one or more storage devices from the system and access those devices via a different system."

Detail from the patent application showing one of many decision routes the system would have to take Detail from the patent application showing one of many decision routes the system would have to take

A secure enclave should fix this, but it needs to be convenient for multiple legitimate users, as well as impossible for unauthorized ones. So a Mac or other device should unlock quickly for the right person, but not anyone trying to force their way in.

"The secure processor includes memory that is used to track a number of successive failed authentication attempts for each of multiple authentication types," says Apple. As each attempt is made, Apple's proposal is that the user be made to wait increasingly long times before getting to try again.

"The secure processor is further configured to delay authentication of the request for a first period of time in response to a determination that the user account associated with a received set of credentials has exceeded a first number of successive failed authentication attempts," says Apple.

This patent application is credited to three inventors, Pierre Oliver Martel, Arthur Mesh, and Wade Benson. All three have previous related patents regarding user authentication and secure access.

Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.



3 Comments

rob53 13 Years · 3314 comments

This could actually benefit a lot of users especially family members sharing a single device. If it works like the normal macOS with an admin account and normal users it should allow access to common things like apps , music and movies but would limit access to email and messages (as well as other things). On an iOS device this would be great for parents and kids so kids couldn’t read parent’s messages. This would necessitate additional storage but that’s easy for Apple to do. Using either FaceID or TouchID to quickly switch users would be fantastic. This feature could put other mobile devices out of business.