Why Apple’s Face ID Is Important

Apple is holding an event tomorrow to introduce new iPhone models. A number of new features in iOS 11 have been seen for some time both in Apple’s presentation in June and in beta versions of the software that are accessible to developers and to certain members of the public. One new feature that will be on one or all of the new iPhone models is Face ID. This authentication technology will replace Touch ID, which lets you unlock an iPhone using a fingerprint. Touch ID also lets you authenticate for purchases and for certain apps. This technology is secure enough to use for payments, such as Apple Pay, and even banking apps.

But Touch ID does not work for everyone. Some people try recording their fingerprints many times, never get the feature to work for them reliably. It has worked for me since the very first iPhone on which it was available, but, for example, my partner cannot get it to work on her devices.

Apple’s Face ID will extend the use of this secure authentication technology to people who cannot get it to work on iPhones or iPads. But I think one reason Apple is introducing this technology is to provide similar authentication features for the Mac.

The security system in the iPhone and iPad depends on something called the “secure enclave,” a special coprocessor which handles all cryptographic operations for these devices. Here is how Apple describes it:

The Secure Enclave is a coprocessor fabricated in the Apple S2, Apple A7, and later A-series processors. It uses encrypted memory and includes a hardware random number generator. The Secure Enclave provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised. Communication between the Secure Enclave and the application processor is isolated to an interrupt-driven mailbox and shared memory data buffers.

[…]

The Secure Enclave is responsible for processing fingerprint data from the Touch ID sensor, determining if there is a match against registered fingerprints, and then enabling access or purchases on behalf of the user. Communication between the processor and the Touch ID sensor takes place over a serial peripheral interface bus. The processor forwards the data to the Secure Enclave but can’t read it. It’s encrypted and authenticated with a session key that is negotiated using the device’s shared key that is provisioned for the Touch ID sensor and the Secure Enclave.

Because of this approach, it is not possible to offer Touch ID on a desktop computer such as an iMac, unless the device contains a fingerprint sensor on its body. The secure enclave must be on the same device; it cannot be on, say, a Bluetooth keyboard. Yet I’m sure Apple wants to bring a more streamlined authentication feature to its computers. Face ID would allow this, and, while it is possible that current Macs do not contain this chip, it will be simple to add it to new Macs. This would allow for quicker login and authentication, especially to use Apple Pay, which the company is hoping will create a long-term revenue stream.

Apple may not announce Face ID for the Mac tomorrow, or they may say that recent Macs already include this chip and that this feature will be available with macOS High Sierra. But if they don’t bring it to the Mac tomorrow, expect to see Face ID on the Mac very soon.