How Touch ID works: Making sense of Apple's fingerprint identity sensor

Touch ID is Apple's name for their new biometric fingerprint authentication technology. With it, the Home button can now unlock your iPhone 5s and authorize your purchases on the iTunes Store. In the perpetual battle between security and convenience, where many people would rather go without a passcode or strong password than fuss with anything complicated on mobile, Touch ID aims to do for authentication what iCloud did for backup and restore - make it easy enough that people will actually use it. Here's Apple (opens in new tab)#mn_e's pitch:

Put your finger on the Home button, and just like that your iPhone unlocks. It's a convenient and highly secure way to access your phone. Your fingerprint can also approve purchases from iTunes Store, the App Store, and the iBooks Store, so you don't have to enter your password. And Touch ID is capable of 360-degree readability. Which means no matter what its orientation — portrait, landscape, or anything in between — your iPhone reads your fingerprint and knows who you are. And because Touch ID lets you enroll multiple fingerprints, it knows the people you trust, too.

Entering a password on the original iPhone was incredibly painful. You couldn't paste a password in, and you couldn't even glimpse the characters you were typing in as you typed them. That led to a high error rate, which led to high frustration levels, which led to people reducing the complexity and strength of their passwords.

Eventually Apple increased security by allowing for strong passwords instead of simple passcodes to unlock devices, and they increased convenience by showing the character being typed in for a few seconds. They also added copy and paste. Yet mobile keyboards, especially virtual ones, still sucked for password entry, especially strong ones. It sucked so much many people continued to leave passcodes turned off, and keep their iTunes passwords simple and easy to enter. And that's not good for anybody.

Your finger is your passport

The Home button is incredibly important on a mainstream computing device like the iPhone. Not only is it an easy way to wake the system, it's an escape hatch that can return anybody, no matter how lost or stressed or frustrated or confused, to a know state - the Home screen. That also makes it the perfect place to put the Touch ID sensor.

The chain is pretty clever. A highly scratch-resistant sapphire glass lens protects the assembly and focuses the sensor, while a color-matched steel ring surrounds it, waiting to detect your finger. When that's triggered, the capacitive Touch ID sensor activates and takes what's effectively a high-resolution snapshot of your fingerprint. The fingerprint is compared against what's stored in the secure enclave on the Apple A7 chipset, and if the unique characteristics in the arches, loops, or whorls match, you're instantly authenticated and your iPhone 5s will unlock or your iTunes purchase will be authorized.

That being the case, Apple seems to be targeting Touch ID squarely at the masses. By contrast, Apple doesn't seem be addressing higher security needs, or at least not yet. Although we'll have to wait until it ships to know for sure, Apple hasn't said anything about enabling TouchID as part of a multi-factor authentication system. In other words, adding fingerprints (something you are) on top of a password (something you know). Multi-factor authentication is desirable - sometimes mandatory - in government and enterprise.

If you don't want to use Touch ID, you can still use an old-school passcode or password, or - but please don't - nothing.

Fail secure

Touch ID prioritizes convenience but there are some situations where it will lock down and force you to enter your 4-digit passcode or strong alphanumeric password instead.

  1. If Touch ID hasn't been used in 48 hours, you'll need to enter your passcode or password to re-enable it.
  2. If your iPhone has been rebooted or reset, you'll need to enter your passcode or password to re-enable it.
  3. If a fingerprint isn't recognized 5 times in a row, you'll need to enter your passcode or password to re-enable it.
  4. If a remote lock has been sent via Find my iPhone, you'll need to enter your passcode or password to re-enable it.

In all of these cases, Apple is defaulting to a secure state to help protect your data and your iPhone.

I don't see dead people

The Touch ID sensor is wafer thin, measuring only 170 microns. However, it can take 550ppi scans, which allows for a good level of detail analysis. It's also capacitive and reads the fingerprint at a sub-dermal level. That means it's not reading the dead skin on the top of your finger, but the new, living skin beneath the surface. That makes it less likely to be fooled by fake fingerprints, severed fingers, and other sci-fi spy movie tropes.

Touch ID is also orientation independent, and can read your fingerprint in 360 degrees. That's right, according to Apple, you're never going to be holding it wrong.

Five finger friendly

You train Touch ID by holding a finger repeatedly against the Home button, and every time you use it it gets better at recognizing that finger. You can also train Touch ID to recognize up to 5 fingers. Either a up to 5 of yours, on either hand, or up to 5 of yours, your family members, friends, colleagues, etc.

That's important for environments where, for example, an administrator is managing a large number of devices for Enterprise, or in a household where several people might need access to the same device.

Implausible deniability

Touch ID. The first part of the name describes the mechanism. The second part describes the goal. It's a fingerprint identity sensor. That's important because Identity is the next big digital land-grab. Everyone wants to not only know who we are, but be able to prove it. Facebook and Google do it by demanding we broadcast our real names and give them phone numbers lest we risk being locked out of our own accounts. Apple is doing it with fingerprints, which are intimately more personal, though far less public. And while that may have some advantages, it also has a downside.

First, using fingerprints to authenticate transactions also proves you're the one who made the transaction. There's no more "I must have left my phone on the table and someone else did [insert potentially embarrassing or illegal thing here]."

Second, it's much easier - and even legally accepted depending on the jurisdiction - to get someone to put their finger on a sensor than it is to get them to divulge a passcode or password.

Third, while Apple has gone out of its way to insist biometric fingerprint data is locked away on the A7 chipset, never made available to any software beyond the Touch ID sensor, and never uploaded to their servers or synced to iCloud, once data exists, it exists.

Some people might not care about that at all, convenience trumping privacy, and security trumping freedom. Those who are already taping over webcams and microphones will likely want to put an opaque sticker over Touch ID as well.

Multiuser musings

There's been some speculation about TouchID being the gateway to multiuser accounts, particularly on the iPad. While new iPads are expected next month, multiuser would be a non-trivial addition to iOS architecture, and given all the work going into the current updates, one Apple might not have the bandwidth to address this time around.

You can never say never, and Touch ID certainly could be part of an Apple multiuser solution for iOS, it just seems unlikely that solution is imminent.

Update: iOS 8

Apple has announced iOS 8 and, with it, made Touch ID accessible to developers. No one gets access to fingerprint data, not even iOS itself, but the Keychain can now authenticate based on Touch ID yes/no tokens, and pass that authentication on to apps.

How to get more help with Touch ID

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

47 Comments
  • ive heard some peoples points of view on it and they are paranoid. I myself believe Apple that they will not release the fingerprint info. Companies like HP have been doing it for years on their computers. The fact that you cannot bypass the fingerprint scanner is concerning. Also the thought of having a database of finger prints at the touch of a button is scary also. I have heard people say the info is going right to NSA in Utah.
  • Watch the video... the fingerprint is scanned... converted into a numerical representation that gets encrypted and stored only on the phone's system chip. It goes nowhere else. All that "it gets sent to the NSA" is a load of bovine processed feed grains being passed to stir FUD... fear, uncertainty, doubt.
  • I bet people said the same thing prior to the latest revelations about the NSA activities...
    I don't know how valuable fingerprint data is (since most people's fingerprints are already in the system for one reason or another), but the concerns of the covert collection of personal data can't be dismissed as mere FUD anymore.
  • If the NSA wanted your prints, they got em already... they don't need to go through your iPhone5S to get them... your privacy is far more at risk from everyday activity than it ever will be from Apple's print scanner on the 5S. The incessant whining about the print scanner is feature envy from denizens of other platforms that hate on what they don't have.
  • Thank you!......if people really think Apple putting this fingerprint scanner on the 5s is just what organizations like NSA have been waiting for to collect your info, then I don't have too much faith in peoples' common sense anymore
  • You can bypass the fingerprint reader by using a passcode instead.
  • Mikells43, you are right a lot of them are paranoid, though I think a lot of them are the Foil hat government conspiracy brigade. As for other information that may worry you. Maybe I was mistaken but didn't Phil Schiller state 'categorically' during the presentation that the fingerprint data is not even stored anywhere other than inside the physical processor. I presume that it has memory in there that will store it and it never leaves the phone. Though these are the same people that don't realize that a capacitive fingerprint sensor doesn't actually read the fingerprint it reads the changes to the capacitive field in the sensor. Your body changes ever so slightly depending on the time of day and the sensor will slowly learn to interpret these variations and compensate. For those that believe that they will have their finger cut off and taken with their phone. This type of sensor will not be able to read an amputated finger. Unlike the screen that uses the same principle of detecting a change in the capacitive field that is picked up by the sensors, because it reads the variations to the capacitance as opposed to the finger print holding the 'dead' finger may activate the scanner but it will not read the fingerprint in the same way because the capacitive characteristics change. That is why it takes more than one read to set up the fingerprint and that is why it has to continually learn as it goes. Would I worry about having my fingerprints on the iPhone? No. Did I worry when I used my Toshiba laptop a few years ago with it's fingerprint scanner? Not really, apart from the authentic reader used a scanner and it was sometimes a five to 10 minute task to get it to unlock the laptop! I eventually turned it off! Since as a matter of course, having become a Naturalized Citizen of the USA my DNA, Fingerprints, photograph and everything else have been shared with the FBI, Homeland Security and probably NSA and anyone else It doesn't give me the slightest concern. Would I buy the iPhone 5S? No. Why? I am waiting for my Contract with Verizon to end and then will look at the Rivals. I don't have a decent signal in half of the area where I am working and even where I live and wasn't until I was in Pasadena and experienced LTE there compared with LTE at home that I realized that my service was worse than appalling. Nothing to do with Fingerprint scanner or anything else and by the time my Verizon Contract Expires It will be time for the next iPhone to be out and I can choose both a new carrier and have the next iPhone.
  • So people will have to use the scanner? So no more passwords? Yea, might be concerning.....
  • No, we will not *have* to use it. They're trying to get people to have some responsibility and security with their devices, and this is one other solution being presented to do so, since most people won't take the 2 seconds to enter a passcode.
  • Yknow, anywhere you go, anything you touch, your fingerprints are available for "them" to have. If you work in government, finance, law enforcement, or any sort of secure type industry, you've already been fingerprinted so "they" already have you on file. I don't honestly believe Apple is going to release the information, and I don't honestly believe the NSA is going to work around anything to get to it for 99.9999999% of the population. I am not particularly concerned about this...I know my husband feels very "Minority Report" about all of it, but I feel like the time to have been concerned about it happening was years ago, and it's all well beyond our control at this point.
  • Honey. I'm your husband. Don't blog all day. Come to sleep.
  • Creepy. How would you post this with no device in the bedroom since I have ALL OF THEM in my possession...
  • He's sending these comments from the CPU chips where a brain should be (He's been a robot spy for the govt this whole time, run!!!!!!)
  • Awesome. Post of the day.
  • If Apple says it's stored on the chip, and not uploaded to Apple's servers or to iCloud (which would be a daft place to store it, since that's completely broken and useless) then I believe them. This is a great feature. Possibly the most compelling reason to upgrade.
  • If its stored on the chip, which is sounds like, and never goes off of the device then there is nothing to worry about. And you dont have to use it, you can not set it up and use your 4 digit pin if you are still worried for some reason. Further, lots of iphone users are fingerprinted for their jobs- law enforcement, government, doctors, lawyers, and lots of other with state licenses. They already have you on file and nothing bad has happened, so the tin foil hat is a little too soon.
  • they say its stored on the chip. but Verizon also said that your info is secure on their servers, and the nsa got all the call and text info from a chunk of time earlier this year. so yea..
  • The NSA isn't some rogue hacker, which is what Verizon was most likely referring to when they were discussing having secure servers.
  • Any of the Carriers will give this information to the authorities and most times they won't even wait for a warrant or court order to be served they will just offer it out. Really the only people that something to worry about are those that have something to hide. I have bigger worries than what the NSA, FBI, CIA, or anyone else reads in my emails and text messages. They can listen in on my phone calls. Heck the ex-missus did it for years. LOL
  • Pity I won't be able to use it. Would be awesome to set it to let my 3 year old unlock my phone but then not be able to buy apps. Apparently it's "trust all" no matter what. On the other hand, I've heard from people who have played with the phone that you can use your nose print if you don't have a spare finger. Useful for those days on the slopes when you don't want to take your gloves off. :)
  • Yes you can, their is setting by which you can allow touch id to unlock but no to buy apps.
  • I imagine that any living surface you put to the sensor can be read. Nose, elbow, knuckle or whatever. It's going to create the mathematical representation of that surface and store it. Doesn't really matter what it is I wouldn't think.
  • Fingerprints are unique, other surfaces are not. I don't think that will work. IF it did work, you probably wouldn't be able to scan it again. It's not like you get elbow prints done by the Feds. There is a biological reason for that.
  • Before people post they should educate themselves so they don't sound uneducated. First of all the finger print information is stored on the ARM chip inside the phone not Apples servers. If you don't trust it then you can continue using a password to unlock your phone. It's the medias that has made this NSA thing an issue. They write headlines so people will read their articles. Apple is trying to improve security since half of mobile phone owners use no security password. Besides if the NSA wants your finger print theirs lots of ways for them to get it. I just don't think Apple or any of the tech companies are willing participant with the NSA. Please don't forget the NSA answers to the President and we voted him into office. If we don't hold elected officials accountable and vote blindly then we have no one to blame but ourselves. Sent from the iMore App
  • I don't know what folks think the NSA would do with their fingerprints anyway. I speculate people WANT to be concerned about being watched because the reality is most of them lead boring lives. I was in the military, that fingerprint ship has sailed. GIve me the dang phone.
  • "Entering a password on the original iPhone was incredibly painful." Incredibly painful?
    Huh?
    It's annoying.
    But painful...or incredibly painful?
    Um, maybe if you have advanced arthritis....or nerdworld problems.
  • Next iPhone will have a scanner that flips the page following your eye movement and probably take a retina scan. Then a lick screen to unlock with the DNA in your saliva. All culminating in the famous iPhone blood scan (a little needle will come out the top and you'll have to prick your finger to unlock your phone. In the meantime big brother will be gathering and selling all this personal info to the NSA . Nice Sent from the iMore App