How Touch ID works: Making sense of Apple's fingerprint identity sensor

Touch ID is Apple's name for their new biometric fingerprint authentication technology. With it, the Home button can now unlock your iPhone 5s and authorize your purchases on the iTunes Store. In the perpetual battle between security and convenience, where many people would rather go without a passcode or strong password than fuss with anything complicated on mobile, Touch ID aims to do for authentication what iCloud did for backup and restore - make it easy enough that people will actually use it. Here's Apple's pitch:

Put your finger on the Home button, and just like that your iPhone unlocks. It's a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don't have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.

Entering a password on the original iPhone was incredibly painful. You couldn't paste a password in, and you couldn't even glimpse the characters you were typing in as you typed them. That led to a high error rate, which led to high frustration levels, which led to people reducing the complexity and strength of their passwords.

Eventually Apple increased security by allowing for strong passwords instead of simple passcodes to unlock devices, and they increased convenience by showing the character being typed in for a few seconds. They also added copy and paste. Yet mobile keyboards, especially virtual ones, still sucked for password entry, especially strong ones. It sucked so much many people continued to leave passcodes turned off, and keep their iTunes passwords simple and easy to enter. And that's not good for anybody.

Your finger is your passport

The Home button is incredibly important on a mainstream computing device like the iPhone. Not only is it an easy way to wake the system, it's an escape hatch that can return anybody, no matter how lost or stressed or frustrated or confused, to a know state - the Home screen. That also makes it the perfect place to put the Touch ID sensor.

The chain is pretty clever. A highly scratch-resistant sapphire glass lens protects the assembly and focuses the sensor, while a color-matched steel ring surrounds it, waiting to detect your finger. When that's triggered, the capacitive Touch ID sensor activates and takes what's effectively a high-resolution snapshot of your fingerprint. The fingerprint is compared against what's stored in the secure enclave on the Apple A7 chipset, and if the unique characteristics in the arches, loops, or whorls match, you're instantly authenticated and your iPhone 5s will unlock or your iTunes purchase will be authorized.

That being the case, Apple seems to be targeting Touch ID squarely at the masses. By contrast, Apple doesn't seem be addressing higher security needs, or at least not yet. Although we'll have to wait until it ships to know for sure, Apple hasn't said anything about enabling TouchID as part of a multi-factor authentication system. In other words, adding fingerprints (something you are) on top of a password (something you know). Multi-factor authentication is desirable - sometimes mandatory - in government and enterprise.

If you don't want to use Touch ID, you can still use an old-school passcode or password, or - but please don't - nothing.

Fail secure

Touch ID prioritizes convenience but there are some situations where it will lock down and force you to enter your 4-digit passcode or strong alphanumeric password instead.

  1. If Touch ID hasn't been used in 48 hours, you'll need to enter your passcode or password to re-enable it.
  2. If your iPhone has been rebooted or reset, you'll need to enter your passcode or password to re-enable it.
  3. If a fingerprint isn't recognized 5 times in a row, you'll need to enter your passcode or password to re-enable it.
  4. If a remote lock has been sent via Find my iPhone, you'll need to enter your passcode or password to re-enable it.

In all of these cases, Apple is defaulting to a secure state to help protect your data and your iPhone.

I don't see dead people

The Touch ID sensor is wafer thin, measuring only 170 microns. However, it can take 550ppi scans, which allows for a good level of detail analysis. It's also capacitive and reads the fingerprint at a sub-dermal level. That means it's not reading the dead skin on the top of your finger, but the new, living skin beneath the surface. That makes it less likely to be fooled by fake fingerprints, severed fingers, and other sci-fi spy movie tropes.

Touch ID is also orientation independent, and can read your fingerprint in 360 degrees. That's right, according to Apple, you're never going to be holding it wrong.

Five finger friendly

You train Touch ID by holding a finger repeatedly against the Home button, and every time you use it it gets better at recognizing that finger. You can also train Touch ID to recognize up to 5 fingers. Either a up to 5 of yours, on either hand, or up to 5 of yours, your family members, friends, colleagues, etc.

That's important for environments where, for example, an administrator is managing a large number of devices for Enterprise, or in a household where several people might need access to the same device.

Implausible deniability

Touch ID. The first part of the name describes the mechanism. The second part describes the goal. It's a fingerprint identity sensor. That's important because Identity is the next big digital land-grab. Everyone wants to not only know who we are, but be able to prove it. Facebook and Google do it by demanding we broadcast our real names and give them phone numbers lest we risk being locked out of our own accounts. Apple is doing it with fingerprints, which are intimately more personal, though far less public. And while that may have some advantages, it also has a downside.

First, using fingerprints to authenticate transactions also proves you're the one who made the transaction. There's no more "I must have left my phone on the table and someone else did [insert potentially embarrassing or illegal thing here]."

Second, it's much easier - and even legally accepted depending on the jurisdiction - to get someone to put their finger on a sensor than it is to get them to divulge a passcode or password.

Third, while Apple has gone out of its way to insist biometric fingerprint data is locked away on the A7 chipset, never made available to any software beyond the Touch ID sensor, and never uploaded to their servers or synced to iCloud, once data exists, it exists.

Some people might not care about that at all, convenience trumping privacy, and security trumping freedom. Those who are already taping over webcams and microphones will likely want to put an opaque sticker over Touch ID as well.

Multiuser musings

There's been some speculation about TouchID being the gateway to multiuser accounts, particularly on the iPad. While new iPads are expected next month, multiuser would be a non-trivial addition to iOS architecture, and given all the work going into the current updates, one Apple might not have the bandwidth to address this time around.

You can never say never, and Touch ID certainly could be part of an Apple multiuser solution for iOS, it just seems unlikely that solution is imminent.

Update: iOS 8

Apple has announced iOS 8 and, with it, made Touch ID accessible to developers. No one gets access to fingerprint data, not even iOS itself, but the Keychain can now authenticate based on Touch ID yes/no tokens, and pass that authentication on to apps.

How to get more help with Touch ID