Apple is researching ways in which multiple users can use TouchID and other biometric systems on Mac. The crucial part of the research is ensuring that there is no compromise on security level offered by secure enclave.
Apple uses a T2 processor to store biometric details about users. Each time the user unlocks their Mac or authenticates a purchase, the secure enclave confirms the user’s identity. Thus only authenticated users can gain access. The TouchID on Mac seems to be perfect for individuals, but it does exclude an important use case. In some households, multiple members use the same Mac. When a user is unlocked, they can access all their information and personal files. On the other hand, a user might be restricted from accessing certain features when logged into others’ accounts.
Apple’s latest patent is titled “Provision of Domains in Secure Enclave to Support Multiple Users.” It explores extending Touch ID in Mac for multiple users. However, the patent also highlights complicated issues that might arise by extending support for multiple users. Therefore the patent focuses on access level granted to each user and not on the specifics of where biometric data will be stored and how it will be handled. The patent explains how group keys need to be created to grant different levels of access.
Passcodes are less secure
The patent claims that passcode doesn’t offer the level of security Touch ID does. It says, “The computing device can prevent unauthorized access to stored data using protection mechanisms in including presenting a login screen that requires a user to provide a user name/password combination and/or a numeric or alphanumeric passcode.” It goes on to explain that attackers can gain access to the system without knowing password “if the data is stored in an unencrypted way.”
The Secure Enclave will also come with a feature that will increase wait time after each unsuccessful attempt to authenticate. Apple says, ” The secure processor is further configured to delay authentication of the request for a first period of time in response to a determination that the user account associated with a received set of credentials has exceeded a first number of successive failed authentication attempts.”[via USPTO]