If Touch ID is turned off, when a device locks, the keys for Data Protection class
Complete, which are held in the Secure Enclave, are discarded. The files and keychain
items in that class are inaccessible until the user unlocks the device by entering his
or her passcode.
With Touch ID turned on, the keys are not discarded when the device locks; instead,
they’re wrapped with a key that is given to the Touch ID subsystem inside the Secure
Enclave. When a user attempts to unlock the device, if Touch ID recognizes the user’s
fingerprint, it provides the key for unwrapping the Data Protection keys, and the
device is unlocked. This process provides additional protection by requiring the
Data Protection and Touch ID subsystems to cooperate in order to unlock the device.
The keys needed for Touch ID to unlock the device are lost if the device reboots
and are discarded by the Secure Enclave after 48 hours or five failed Touch ID
recognition attempts.No comments yet.