Uses for Optic ID, Face ID, and Touch ID
How a device’s Data Protection keys work varies depending on whether its Optic ID, Face ID, or Touch ID is turned on or off.
Unlocking a device or user account
With Optic ID, Face ID, or Touch ID turned off, when a device or account is locked, the keys for the highest class of Data Protection—which are held in the Secure Enclave—are discarded. The files and keychain items in that class are inaccessible until the user unlocks the device or account by entering their passcode or password.
With Optic ID, Face ID, or Touch ID turned on, the keys aren’t discarded when the device or account locks; instead, they’re wrapped with a key that’s given to the Optic ID, Face ID, or Touch ID subsystem inside the Secure Enclave. When a user attempts to unlock the device or account, if the device detects a successful match, it provides the key for unwrapping the Data Protection keys, and the device or account is unlocked. This process provides additional protection by requiring cooperation between the Data Protection and Optic ID, Face ID, or Touch ID subsystems to unlock the device.
When the device restarts, the keys required for Optic ID, Face ID, or Touch ID to unlock the device or account are lost; they’re discarded by the Secure Enclave after any condition is met that requires passcode or password entry.
Securing purchases with Apple Pay
The user can also use Optic ID, Face ID, and Touch ID with Apple Pay to make easy and secure purchases in stores, apps, and on the web:
Using Face ID in stores: To authorize an in-store payment with Face ID, the user must first confirm intent to pay by double-clicking the side button. This double-click captures user intent using a physical gesture directly linked to the Secure Enclave and is resistant to forgery by a malicious process. The user then authenticates using Face ID before placing the device near the contactless payment reader. A different Apple Pay payment method can be selected after Face ID authentication, which requires reauthentication, but the user won’t have to double-click the side button again.
Using Optic ID or Face ID in apps and on the web: To make a payment within apps and on the web, the user confirms their intent to pay by double-clicking the side button (on iPhone or iPad) or the top button (on Apple Vision Pro), and then authenticates using Optic ID or Face ID to authorize the payment. If the Apple Pay transaction isn’t completed within 60 seconds of double-clicking the side button or the top button, the user must reconfirm intent to pay by double-clicking again.
Using Touch ID: For Touch ID, the intent to pay is confirmed using the gesture of activating the Touch ID sensor combined with successfully matching the user’s fingerprint.
Using system-provided APIs
Third-party apps can use system-provided APIs to ask the user to authenticate using Optic ID, Face ID, Touch ID, or a passcode or password. Apps that support Touch ID automatically support Optic ID and Face ID without any changes. When using Optic ID, Face ID, or Touch ID, the app is notified only as to whether the authentication was successful; it can’t access Optic ID, Face ID, or Touch ID or the data associated with the enrolled user.
Protecting keychain items
Keychain items can also be protected with Optic ID, Face ID, or Touch ID, to be released by the Secure Enclave only by a successful match or with the device passcode or account password. App developers have APIs to verify that a passcode or password has been set by the user before requiring Optic ID, Face ID, Touch ID, or a passcode or password to unlock keychain items. App developers can do any of the following:
Require that authentication API operations don’t fall back to an app password or the device passcode. They can query whether a user is enrolled, allowing Optic ID, Face ID, or Touch ID to be used as a second factor in security-sensitive apps.
Generate and use Elliptic Curve Cryptography (ECC) keys inside the Secure Enclave that can be protected by Optic ID, Face ID, or Touch ID. Operations with these keys are always performed inside the Secure Enclave after it authorizes their use.
Making and approving purchases
Users can also configure Optic ID, Face ID, or Touch ID to approve purchases from the iTunes Store, the App Store, Apple Books, and more, so users donʼt have to enter their Apple Account password. When purchases are made, the Secure Enclave verifies that a biometric authorization occurred and then releases ECC keys used to sign the store request.
Locking and hiding apps
On devices with iOS 18, iPad OS 18, or later, Face ID and Touch ID can be used to access apps that the user decided to lock or hide.