Apple’s Platform Security has a good page on the details of how Touch ID works with the new Magic Keyboard and Apple Silicon Macs:
The Magic Keyboard with Touch ID performs the role of the
biometric sensor; it doesn’t store biometric templates, perform
biometric matching, or enforce security policies (for example,
having to enter the password after 48 hours without an unlock).
The Touch ID sensor in the Magic Keyboard with Touch ID must be
securely paired to the Secure Enclave on the Mac before it can be
used, and then the Secure Enclave performs the enrollment and
matching operations and enforces security policies in the same way
it would for a built-in Touch ID sensor. Apple performs the
pairing process in the factory for a Magic Keyboard with Touch ID
that is shipped with a Mac. Pairing can also be performed by the
user if needed. A Magic Keyboard with Touch ID can be securely
paired with only one Mac at a time, but a Mac can maintain secure
pairings with up to five different Magic Keyboard with Touch ID
So I was wrong in my article on “secure intent” this week — the Magic Keyboard With Touch ID does not contain its own local Secure Enclave. It pairs with the Secure Enclave in the Mac with which it’s paired. But this contradicts the Platform Security page about “secure intent”, which states: “the connection is a physical link — from a physical button to the Secure Enclave”. The Magic Keyboard With Touch ID has a wireless, not physical, link to the paired Mac’s Secure Enclave. This Platform Security guide page has details about how Apple makes that work securely.
The Magic Keyboard with Touch ID and built-in Touch ID sensors are
compatible. If a finger that was enrolled on a built-in Mac Touch
ID sensor is presented on a Magic Keyboard with Touch ID, the
Secure Enclave in the Mac successfully processes the match — and
I did not know this — nifty.
★ Friday, 4 June 2021