Inside

Touch ID

Touch ID

Last updated: 1 month ago

Apple introduced Touch ID with the launch of its iPhone 5S. While not as convenient as Face ID, it allows users to quickly unlock their iPhone, iPad, or MacBook, sign in to services, and approve purchases with just a touch of their fingertips. No manually-entered password is needed.

● Quickly unlocks using your fingertip
● Biometrics
● Secure Enclave
● AES-256 encryption
● Avalable on iPhones, iPads, and MacBooks

Apple's Touch ID precedes its Face ID technology and is still used today on devices that don't include a TrueDepth sensor system, like the latest MacBook Air. It's a biometric hardware-based authentication platform that eliminates the need for manual login entry. This system captures multiple scans of the fingertip for quick unlocks and approvals using various finger positions.

Compatible devices

Here is a current list of supported devices:

iPhone

  • iPhone 5S
  • iPhone SE (2016)
  • iPhone SE (2020)
  • iPhone 6
  • iPhone 6 Plus
  • iPhone 6S
  • iPhone 6S Plus
  • iPhone 7
  • iPhone 7 Plus
  • iPhone 8
  • iPhone 8 Plus

iPad

Mac

What is Touch ID?

iPad Pro Home button with Touch ID iPad Pro Home button with Touch ID

This feature requires a physical button. It's based on technology developed by AuthenTec that was previously used on smartphones in Japan to authenticate mobile payments. Apple acquired the company in 2012 for $356 million and first implemented the technology in the iPhone 5S launched in 2013.

On phones and most tablets, the sensor resides on the Home button. The Home button is a stack of different materials, capped with a sapphire crystal lens. The surrounding stainless-steel ring works as a ground and detects the user's finger. This action activates a capacitive touch sensor installed underneath the cover: A CMOS chip with small capacitors.

This sensor generates a capacitive field that's distorted by the user's natural electrical current. This allows the sensor to capture the ridges of the subepidermal layers of the user's fingertip and create an 88 x 88 raster image (500ppi).

On the iPad Air 4, Apple put Touch ID in the tablet's power button. On the MacBook Air, the sensor resides on the power button located in the top right corner and above the Delete button. On the MacBook Pro, it's located at the far right end of the Touch Bar. Both versions do not include the stainless-steel ring.

Apple's first-generation sensor resides on the following devices:

  • iPhone 5S
  • iPhone 6
  • iPhone 6 Plus
  • iPhone SE (2016)
  • iPad mini 3
  • iPad (2017)
  • iPad (2018)
  • iPad (2019)

Apple introduced the second-generation sensor in the iPhone 6S and iPhone 6S Plus promising 2x faster performance than the first-generation version. However, users complained that it unlocked too fast, preventing them from reading notifications on the lock screen. Apple fixed this issue with iOS 10.

The second-generation sensor is on the following iPhones:

  • iPhone 6S
  • iPhone 6S Plus
  • iPhone 7
  • iPhone 7 Plus
  • iPhone 8
  • iPhone 8 Plus
  • iPhone SE (2020)

Here are the iPads:

  • 9.7-inch iPad Pro
  • 10.5-inch iPad Pro
  • 12.9-inch iPad Pro (2015)
  • 12.9-inch iPad Pro (2017)
  • iPad Air 2
  • iPad Air 3
  • iPad Air 4
  • iPad mini 4
  • iPad mini 5

Finally, Apple's MacBooks:

  • MacBook Air (2018)
  • MacBook Air (2020)
  • MacBook Pro with Touchbar

How Touch ID works on phones and tablets

Touch ID registration Touch ID registration

Users must have a passcode already created before using this feature. A passcode is required to access the device if the fingerprint scan fails.

During fingerprint registration, users are instructed to repeatedly hold and lift their finger centered on the Home button (or power button of the iPad Air 4) until the capture is complete. After that, registration requires the user to capture the outer areas of their fingertip.

Data collected by the sensor is sent to the application processor using a dedicated serial peripheral interface bus. The application processor then forwards this data to the Secure Enclave to be analyzed.

According to Apple, this analysis utilizes subdermal ridge flow angle mapping, which discards minutia data. The resulting maps are converted and then encrypted while written to the file system. This data is only accessible by the Secure Enclave — not even the operating system or Apple. The Secure Enclave and the sensor have a shared key that's used to create a session key, which in turn encrypts and authenticates the data.

After the initial registration, when the user attempts to unlock the device using a finger, the fingerprint raster scan goes into encrypted memory within the Secure Enclave. It's analyzed and compared with the stored data and then discarded. 

On devices with the A7 chip and newer, the Secure Enclave stores the class key used to encrypt and decrypt data. When the user attempts to unlock the device, the sensor scans the fingerprint. If successful, the Touch ID system provides a decrypted class key given to it by the Secure Enclave to unwrap all the other keys protecting the user's data and then unlock the device.

The decrypted class keys are stored in memory until the device reboots. All keys are discarded after 48 hours or after five failed attempts to unlock the device using a finger.

How Touch ID works on Macs

MacBook with Touch ID MacBook with Touch ID

On Macs, the Secure Enclave doesn't reside within the main processor because they currently rely on third-party Intel-based CPUs. Instead, Apple created a separate, custom chip with the Secure Enclave coprocessor inside.

Apple's T2 Security chip is a 64-bit ARMv8 SoC that runs a separate operating system called bridgeOS 2.0. It handles the entire boot process, all encryption using a dedicated AES hardware engine, audio processing, camera control, and System Management Controller capabilities for older Macs. It also enables the "Hey Siri" capability.

As with mobile, the Secure Enclave and the sensor have a shared key that's used to create a session key which in turn encrypts and authenticates the data. All data collected by the sensor is sent to the T2 Security chip using a dedicated serial peripheral interface bus. The T2 chip then forwards this data to the Secure Enclave for processing.

Touch ID and Secure Enclave

The Secure Enclave coprocessor handles encryption keys The Secure Enclave coprocessor handles encryption keys

The Secure Enclave is a coprocessor (or hardware-based key manager) that physically resides within the application processor package, like the Apple A7 and newer, or within Apple's dedicated T2 Security chip. It's isolated and communicates with the parent chip using an interrupt-driven "mailbox" — they also share memory data buffers.  Because it's isolated and self-maintaining, it retains its integrity even if the operating system is compromised.

According to Apple, it runs a custom version of the company's L4 microkernel (firmware) that's digitally signed by Apple and verified during the hardware boot chain process. 

The Secure Enclave converts data provided by the sensor into mathematical representations. These numbers are encrypted and stored in the file system, as the Secure Enclave's 4MB of storage is only used for 256-bit elliptic curve private keys.

When a file is created on the device, the AES engine generates and uses a new 256-bit "per-file" key to encrypt the file as it's written to the local storage. This key is then encrypted using a class key and stored in the file's metadata, which is then encrypted with a random file system key created when the operating system was first installed.

The Secure Enclave stores the class key and handles all wrapped file keys, meaning these keys are never revealed to the main processor. On devices that use the Apple File System, the file system metadata key is encrypted using the Secure Enclave's Hardware UID (Unique Identifier) key. The SoC's firmware encrypts all keys stored within the Secure Enclave.

Touch ID may return to new iPhones Touch ID may return to new iPhones

Despite Apple's current lean on Face ID given the larger all-encompassing screen installed on its newer phones, the company may return to Touch ID soon — possibly on the iPhone 12 — using ultrasonic fingerprint recognition technology.

 
 

Touch ID Related Stories

article thumbnail