Uses for Touch ID and Face ID
Unlocking a device or user account
With Touch ID or Face ID disabled, when a device or account locks, the keys for the highest class of Data Protection—which are held in the Secure Enclave—are discarded. The files and keychain items in that class are inaccessible until the user unlocks the device or account by entering their passcode or password.
With Touch ID or Face ID enabled, the keys aren’t discarded when the device or account locks; instead, they’re wrapped with a key that’s given to the Touch ID or Face ID subsystem inside the Secure Enclave. When a user attempts to unlock the device or account, if the device detects a successful match, it provides the key for unwrapping the Data Protection keys, and the device or account is unlocked. This process provides additional protection by requiring cooperation between the Data Protection and Touch ID or Face ID subsystems to unlock the device.
When the device restarts, the keys required for Touch ID or Face ID to unlock the device or account are lost; they’re discarded by the Secure Enclave after any condition is met that requires passcode or password entry.
Securing purchases with Apple Pay
The user can also use Touch ID and Face ID with Apple Pay to make easy and secure purchases in stores, apps, and on the web:
Using Touch ID: For Touch ID, the intent to pay is confirmed using the gesture of activating the Touch ID sensor combined with successfully matching the user’s fingerprint.
Using Face ID in stores: To authorize an in-store payment with Face ID, the user must first confirm intent to pay by double-clicking the side button. This double-click captures user intent using a physical gesture directly linked to the Secure Enclave and is resistant to forgery by a malicious process. The user then authenticates using Face ID before placing the device near the contactless payment reader. A different Apple Pay payment method can be selected after Face ID authentication, which requires reauthentication, but the user won’t have to double-click the side button again.
Using Face ID in apps and on the web: To make a payment within apps and on the web, the user confirms their intent to pay by double-clicking the side button and then authenticates using Face ID to authorize the payment. If the Apple Pay transaction isn’t completed within 60 seconds of double-clicking the side button, the user must reconfirm intent to pay by double-clicking again.
Using system-provided APIs
Third-party apps can use system-provided APIs to ask the user to authenticate using Touch ID or Face ID or a passcode or password, and apps that support Touch ID automatically support Face ID without any changes. When using Touch ID or Face ID, the app is notified only as to whether the authentication was successful; it can’t access Touch ID, Face ID, or the data associated with the enrolled user.
Protecting keychain items
Keychain items can also be protected with Touch ID or Face ID, to be released by the Secure Enclave only by a successful match or with the device passcode or account password. App developers have APIs to verify that a passcode or password has been set by the user before requiring Touch ID or Face ID or a passcode or password to unlock keychain items. App developers can do any of the following:
Require that authentication API operations don’t fall back to an app password or the device passcode. They can query whether a user is enrolled, allowing Touch ID or Face ID to be used as a second factor in security-sensitive apps.
Generate and use Elliptic Curve Cryptography (ECC) keys inside the Secure Enclave that can be protected by Touch ID or Face ID. Operations with these keys are always performed inside the Secure Enclave after it authorizes their use.
Making and approving purchases
Users can also configure Touch ID or Face ID to approve purchases from the iTunes Store, the App Store, Apple Books, and more, so users donʼt have to enter their Apple ID password. When purchases are made, the Secure Enclave verifies that a biometric authorization occurred and then releases ECC keys used to sign the store request.