Everyone is thinking about how Apple’s future iPhones may get more secure thanks to efforts that company is making right now, but learning to use existing features like Touch ID can be an important part of ensuring that the iPhone or iPad you currently have is as secure as possible.
Touch ID, which enables you to unlock your device and even authenticate some transactions with your fingerprint, can make it more practical to use a longer, more complex passcode in the situations where you still need that passcode, since you won’t need to enter it as frequently. (We all know someone who’s set his passcode to “1234” to speed the process of entering it each time he wants to unlock his iPhone.) With Touch ID, you can easily and quickly unlock your iOS device, while keeping your files, communications, and apps secure. Here’s how to set up Touch ID, and how the system works behind the scenes.
How to use Touch ID
To set up Touch ID, you need to set up your iPhone or iPad so that a passcode is required to unlock it. When Touch ID scans and recognizes your fingerprint, the device will unlock without requiring you to enter your passcode. You can always opt to use your passcode instead of your fingerprint, and your device will still require your passcode when it’s just been turned on or restarted, when it hasn’t been unlocked for more than 48 hours, when it’s received a remote lock command, after five unsuccessful attempts to match a fingerprint, or when setting up or enrolling new fingerprints in Touch ID.
If you want to set up Touch ID but haven’t yet set a passcode, open the Settings app, and navigate to the Touch ID & Passcode section. Next, tap Turn Passcode On, and create a six-digit passcode. (Alternately, you can tap Passcode Options to switch to a four-digit numeric code, a custom numeric code, or a custom alphanumeric code.) Enter your passcode again to confirm and activate it.
To set up Touch ID, ensure that both your home button and your fingers are clean and dry. Then open the Settings app, navigate to Touch ID & Passcode, and enter your passcode. Tap Add a Fingerprint, and hold your device as you normally would when touching the home button. Place your finger on the home button, but don’t press down. Hold it there until you feel a quick vibration and are asked to lift your finger, and follow the instructions to lift and rest your finger to capture different parts of your fingerprint.
In addition to using it to unlock your iPhone or iPad, you can use Touch ID to approve purchases from the App Store, the iTunes Store, or the iBooks Store. Touch ID can also be used with Apple Pay, and third-party apps can use Apple APIs to ask you to authenticate using Touch ID or your passcode. In that case, the app will only be notified whether or not authentication is successful; it can’t access Touch ID or information about your fingerprint. You can manage your Touch ID settings from the Settings app, where you can also enroll up to five fingerprints or delete fingerprints.
How Touch ID works
Not everyone who wants to use Touch ID is particularly curious about how the system works. But if you’ve been wondering about how Touch ID works, Apple recently revealed just about everything you’d want to know. In a whitepaper on iOS security (PDF), Apple explained that Touch ID will learn more about your fingerprint over time, and the sensor will continue to expand the “fingerprint map” with each use. Touch ID doesn’t store any images of your fingerprint, and instead, stores a mathematical representation — from which it would be possible to reverse-engineer your actual fingerprint.
To enable you to unlock your iPhone or iPad with Touch ID, the chip in your device includes coprocessor called the Secure Enclave, which was developed to protect your passcode and fingerprint data, and is inaccessible to other parts of the system. Fingerprint data is encrypted and protected with a key that’s available only to the Secure Enclave, and the Secure Enclave is separate from the rest of the chip and the rest of iOS. Placing your finger on the home button triggers an imaging array to scan the finger and send the scan to the Secure Enclave. As Apple explains:
The Secure Enclave is responsible for processing fingerprint data from the Touch ID sensor, determining if there is a match against registered fingerprints, and then enabling access or purchases on behalf of the user. Communication between the processor and the Touch ID sensor takes place over a serial peripheral interface bus. The processor forwards the data to the Secure Enclave but cannot read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is provisioned for the Touch ID sensor and the Secure Enclave.
If Touch ID is turned off, then when your device locks, the keys for Data Protection class “Complete,” which are held in the Secure Enclave, are discarded. The files and keychain items in that class are inaccessible until you unlock the device by entering your passcode. When Touch ID is turned on, the keys aren’t discarded when the device locks, and are, instead, wrapped with a key that’s given to the Touch ID subsystem inside the Secure Enclave. When you attempt to unlock the device and Touch ID recognizes your fingerprint, it provides the key for unwrapping the Data Protection keys, and the device is unlocked. The keys needed for Touch ID to unlock the device are lost if the device reboots, and are discarded by the Secure Enclave after 48 hours or five failed Touch ID recognition attempts.
As Apple explains, the Touch ID sensor is active only when the capacitive steel ring around the home button detects a finger. That triggers an imaging array that scans your finger and sends the resulting image to the Secure Enclave. The scan is temporarily stored in encrypted memory within the Secure Enclave as it’s vectorized for analysis, and then it’s discarded. The analysis uses sub-dermal ridge flow angle mapping, which discards some of the data that would be required to reconstruct your actual fingerprint. The resulting map is stored without any identity information in an encrypted format that can only be read by the Secure Enclave.