Apple Platform Security: Magic Keyboard With Touch ID

Apple’s Platform Security has a good page on the details of how Touch ID works with the new Magic Keyboard and Apple Silicon Macs:

The Magic Keyboard with Touch ID performs the role of the biometric sensor; it doesn’t store biometric templates, perform biometric matching, or enforce security policies (for example, having to enter the password after 48 hours without an unlock). The Touch ID sensor in the Magic Keyboard with Touch ID must be securely paired to the Secure Enclave on the Mac before it can be used, and then the Secure Enclave performs the enrollment and matching operations and enforces security policies in the same way it would for a built-in Touch ID sensor. Apple performs the pairing process in the factory for a Magic Keyboard with Touch ID that is shipped with a Mac. Pairing can also be performed by the user if needed. A Magic Keyboard with Touch ID can be securely paired with only one Mac at a time, but a Mac can maintain secure pairings with up to five different Magic Keyboard with Touch ID keyboards.

So I was wrong in my article on “secure intent” this week — the Magic Keyboard With Touch ID does not contain its own local Secure Enclave. It pairs with the Secure Enclave in the Mac with which it’s paired. But this contradicts the Platform Security page about “secure intent”, which states: “the connection is a physical link — from a physical button to the Secure Enclave”. The Magic Keyboard With Touch ID has a wireless, not physical, link to the paired Mac’s Secure Enclave. This Platform Security guide page has details about how Apple makes that work securely.

The Magic Keyboard with Touch ID and built-in Touch ID sensors are compatible. If a finger that was enrolled on a built-in Mac Touch ID sensor is presented on a Magic Keyboard with Touch ID, the Secure Enclave in the Mac successfully processes the match — and vice versa.

I did not know this — nifty.

Friday, 4 June 2021