How Touch ID works: Making sense of Apple's fingerprint identity sensor
Touch ID is Apple's name for their new biometric fingerprint authentication technology. With it, the Home button can now unlock your iPhone 5s and authorize your purchases on the iTunes Store. In the perpetual battle between security and convenience, where many people would rather go without a passcode or strong password than fuss with anything complicated on mobile, Touch ID aims to do for authentication what iCloud did for backup and restore - make it easy enough that people will actually use it. Here's Apple (opens in new tab)#mn_e's pitch:
Entering a password on the original iPhone was incredibly painful. You couldn't paste a password in, and you couldn't even glimpse the characters you were typing in as you typed them. That led to a high error rate, which led to high frustration levels, which led to people reducing the complexity and strength of their passwords.
Eventually Apple increased security by allowing for strong passwords instead of simple passcodes to unlock devices, and they increased convenience by showing the character being typed in for a few seconds. They also added copy and paste. Yet mobile keyboards, especially virtual ones, still sucked for password entry, especially strong ones. It sucked so much many people continued to leave passcodes turned off, and keep their iTunes passwords simple and easy to enter. And that's not good for anybody.
Your finger is your passport
The Home button is incredibly important on a mainstream computing device like the iPhone. Not only is it an easy way to wake the system, it's an escape hatch that can return anybody, no matter how lost or stressed or frustrated or confused, to a know state - the Home screen. That also makes it the perfect place to put the Touch ID sensor.
The chain is pretty clever. A highly scratch-resistant sapphire glass lens protects the assembly and focuses the sensor, while a color-matched steel ring surrounds it, waiting to detect your finger. When that's triggered, the capacitive Touch ID sensor activates and takes what's effectively a high-resolution snapshot of your fingerprint. The fingerprint is compared against what's stored in the secure enclave on the Apple A7 chipset, and if the unique characteristics in the arches, loops, or whorls match, you're instantly authenticated and your iPhone 5s will unlock or your iTunes purchase will be authorized.
That being the case, Apple seems to be targeting Touch ID squarely at the masses. By contrast, Apple doesn't seem be addressing higher security needs, or at least not yet. Although we'll have to wait until it ships to know for sure, Apple hasn't said anything about enabling TouchID as part of a multi-factor authentication system. In other words, adding fingerprints (something you are) on top of a password (something you know). Multi-factor authentication is desirable - sometimes mandatory - in government and enterprise.
If you don't want to use Touch ID, you can still use an old-school passcode or password, or - but please don't - nothing.
Touch ID prioritizes convenience but there are some situations where it will lock down and force you to enter your 4-digit passcode or strong alphanumeric password instead.
- If Touch ID hasn't been used in 48 hours, you'll need to enter your passcode or password to re-enable it.
- If your iPhone has been rebooted or reset, you'll need to enter your passcode or password to re-enable it.
- If a fingerprint isn't recognized 5 times in a row, you'll need to enter your passcode or password to re-enable it.
- If a remote lock has been sent via Find my iPhone, you'll need to enter your passcode or password to re-enable it.
In all of these cases, Apple is defaulting to a secure state to help protect your data and your iPhone.
I don't see dead people
The Touch ID sensor is wafer thin, measuring only 170 microns. However, it can take 550ppi scans, which allows for a good level of detail analysis. It's also capacitive and reads the fingerprint at a sub-dermal level. That means it's not reading the dead skin on the top of your finger, but the new, living skin beneath the surface. That makes it less likely to be fooled by fake fingerprints, severed fingers, and other sci-fi spy movie tropes.
Touch ID is also orientation independent, and can read your fingerprint in 360 degrees. That's right, according to Apple, you're never going to be holding it wrong.
Five finger friendly
You train Touch ID by holding a finger repeatedly against the Home button, and every time you use it it gets better at recognizing that finger. You can also train Touch ID to recognize up to 5 fingers. Either a up to 5 of yours, on either hand, or up to 5 of yours, your family members, friends, colleagues, etc.
That's important for environments where, for example, an administrator is managing a large number of devices for Enterprise, or in a household where several people might need access to the same device.
Touch ID. The first part of the name describes the mechanism. The second part describes the goal. It's a fingerprint identity sensor. That's important because Identity is the next big digital land-grab. Everyone wants to not only know who we are, but be able to prove it. Facebook and Google do it by demanding we broadcast our real names and give them phone numbers lest we risk being locked out of our own accounts. Apple is doing it with fingerprints, which are intimately more personal, though far less public. And while that may have some advantages, it also has a downside.
First, using fingerprints to authenticate transactions also proves you're the one who made the transaction. There's no more "I must have left my phone on the table and someone else did [insert potentially embarrassing or illegal thing here]."
Second, it's much easier - and even legally accepted depending on the jurisdiction - to get someone to put their finger on a sensor than it is to get them to divulge a passcode or password.
Third, while Apple has gone out of its way to insist biometric fingerprint data is locked away on the A7 chipset, never made available to any software beyond the Touch ID sensor, and never uploaded to their servers or synced to iCloud, once data exists, it exists.
Some people might not care about that at all, convenience trumping privacy, and security trumping freedom. Those who are already taping over webcams and microphones will likely want to put an opaque sticker over Touch ID as well.
There's been some speculation about TouchID being the gateway to multiuser accounts, particularly on the iPad. While new iPads are expected next month, multiuser would be a non-trivial addition to iOS architecture, and given all the work going into the current updates, one Apple might not have the bandwidth to address this time around.
You can never say never, and Touch ID certainly could be part of an Apple multiuser solution for iOS, it just seems unlikely that solution is imminent.
Update: iOS 8
Apple has announced iOS 8 and, with it, made Touch ID accessible to developers. No one gets access to fingerprint data, not even iOS itself, but the Keychain can now authenticate based on Touch ID yes/no tokens, and pass that authentication on to apps.
How to get more help with Touch ID
Get the best of iMore in your inbox, every day!
Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.
I don't know how valuable fingerprint data is (since most people's fingerprints are already in the system for one reason or another), but the concerns of the covert collection of personal data can't be dismissed as mere FUD anymore.
But painful...or incredibly painful?
Um, maybe if you have advanced arthritis....or nerdworld problems.
--Chill out, stop being so paranoid, & use this slick new feature if you grab a 5s
For most people, this is not an issue about self-importance or any organization having a "personal" interest in an individual. It's not about delusional paranoia or conspiracy theories either.
It's about the progressive erosion of legal rights and freedoms by a system set up to protect us from threats. We definitely want the protection provided by this system, but it comes at a price of certain liberties in order to do the job they were created to do.
The issue is when we start to become prisoners and victims to the system we created to protect us - and, more importantly, how to deal with the potential of our rottweiler losing it's sense of who it's suppose to protect and ripping out our own throats.
The weapons and methods we employ to protect us, can just as easily harm us if turned against us.
There is significant concern that each thing we give up in the name of security, is one small step towards the absolute hell of a police state - a situation extremely difficult to reverse once it's been established. Just check around the rest of the world.
People have a tremendous desire to prevent that from happening to America. There used to be time when you could just buy your ticket and get on a plane. Now, in the interest of protecting us, the system has to assume everyone is a potential terrorist and take security actions to prove that assumption wrong.
The danger is a system/society without trust that assumes we're a threat until we "prove otherwise" - it becomes a police state when that mode becomes entrenched and/or is exploited for gains.
Collection of personal information is the fuel and foundation for such a system.
fascism is strong for security but masses of unorganized people rallied around common general principles is stronger as we've seen in guerilla warfare and nontraditional defensive retaliation (see the american revolution).