APPLE’S NEW MACBOOK Pro is thinner and faster than its predecessor. It comes in a sleek space grey color. It even has an OLED touch bar that can conjure up everything from emoji to Photoshop shortcuts to (let’s be honest) more emoji. The most important MacBook Pro upgrade, though, is how much more easily it will secure your digital life.
The new MacBook Pro includes Touch ID, a fingerprint scanning technology familiar to anyone with an iPhone. In fact, fingerprint identification has become a staple among almost all flagship smartphones. It’s simply how we log onto our mobile devices now. Enterprise laptops have deployed comparable biometric security measures for years.
But Touch ID on the MacBook Pro represents a significant advancement in security, not just for Apple fans but for the entire industry. It’s also going to change how you use your MacBook Pro more than a touch bar ever could.
You’ve Got the Touch
Passwords are and always have been a necessary nightmare. They’re too hard to remember, too easy to crack, and often end up as part of some massive corporate server breach anyway (sorry, Myspace fans).
Do you know what suffers from none of those deficiencies? Your fingerprint. And with Touch ID, that’s what you can now use to unlock your Mac, pay for items online, and even replace the bulk of your passwords altogether. It can recognize multiple fingerprints, allowing for secure, simple access to multiple profiles on the same device.
“This could be a huge boon for authentication,” says Thomas Reed, director of Mac offerings at security firm Malwarebytes. “It’s stronger than a password, but easy for even a novice to use. Used in conjunction with a good password manager, it could hugely improve the user’s online security.”
The potential use cases are limitless. There’s simply logging on, sure, but as Apple pushes Apple Pay onto the web, Touch ID will allow for more and more payments that are both safer and more convenient. Some bank apps are already Touch ID-compatible, and it shouldn’t take long for most retailers to hop on board as well, given that it also protects them from embarrassing, damaging leaks. Popular password manager 1Password has already teased its MacBook Touch ID upgrade.
What makes Touch ID such an improvement isn’t just ease of use but the way the fingerprints are stored. Your biometric information stays on your device, rather than connecting with some far-flung, potentially vulnerable server somewhere.
That’s possible because Touch ID and similar biometric systems rely on asymmetric cryptography, explains Stephanie Schuckers, director of the Center for Identification Technology Research at Clarkson University. In that setup, there’s no shared key between your MacBook Pro and whatever server you’re connecting to. “The private key, the important part that you want to keep secret, is stored on the device,” Schuckers says, and can’t be seen by the app or service on the other end.
More simply put, no matter what you use Touch ID for, your fingerprint won’t wind up on any computer but your own, making it nearly impossible to hack unless someone has direct access to your device. That’s thanks to the other big addition to the MacBook Pro: Secure Enclave.
Enclave Dwellers
Secure Enclave is technically a coprocessor that Apple developed to run cryptographic operations, but it’s perhaps best to think of it as your Apple device’s very own vault. It’s how the iPhone has stored fingerprints for years, and until now, MacBooks did not have the equivalent. It’s also going to benefit more than just your fingerprint.
In the MacBook, the Secure Enclave is part of Apple’s new T1 processor, meaning it’s tied explicitly to the touch bar and Touch ID. It’s also, though, in charge of your webcam, a small but important difference.
“In previous generations of Macbook the webcam light was software controlled—which meant that an attacker who compromised your OS could potentially activate the camera without turning on the light,” says Johns Hopkins University cryptography expert Matthew Green. “Adding a separate secure processor could make this much harder to do.”
Green says it also means that Apple’s FileVault encryption can be backed by hardware, rather than software, making your hard drive more secure as well. In fact, the presence of a Secure Enclave should quarantine the most important things on your computer from all manner of outside influence.
“Infecting the system with malware should not result in the ability to steal keys stored in the Secure Enclave,” says Reed. “Even brute force attacks on the hardware itself are designed to fail. This means that data can be encrypted with little to no chance of an unauthorized party decrypting it.”
“In previous generations of Macbook the webcam light was software controlled—which meant that an attacker who compromised your OS could potentially activate the camera without turning on the light,” says Johns Hopkins University cryptography expert Matthew Green. “Adding a separate secure processor could make this much harder to do.”
Green says it also means that Apple’s FileVault encryption can be backed by hardware, rather than software, making your hard drive more secure as well. In fact, the presence of a Secure Enclave should quarantine the most important things on your computer from all manner of outside influence.
“Infecting the system with malware should not result in the ability to steal keys stored in the Secure Enclave,” says Reed. “Even brute force attacks on the hardware itself are designed to fail. This means that data can be encrypted with little to no chance of an unauthorized party decrypting it.”
The Best of Both Worlds
Stories pop up from time to time about the downsides of biometric security, and it’s true, it’s not invincible. Fingerprints can be mimicked, after all, with enough putty and patience.
Those concerns are often overblown, though, says Schuckers, especially when you consider the type of scale at which most security violations happen today.
“Certainly it’s possible that someone steals your fingerprint,” says Schuckers. “But that’s really not a scalable attack. In this model, where the fingerprint is stored locally, you have to steal the device as well.”
Even the case of the recent OPM hack, in which digital records of over five million people’s fingerprints were stolen, doesn’t faze Schuckers. “A fingerprint is not equal to a password,” Schuckers says. “If you steal a password, you have the keys to the kingdom. If you steal a fingerprint, you still have to go back and steal the device,” or somehow hack into the device, which, thanks to Secure Enclave, is virtually impossible.
Again, fingerprint scanning is nothing new. But what the MacBook can do is help normalize and popularize it. Previously, biometrics were the realm of enterprise environments. Now, it’s a marquee feature in the marquee consumer laptop. It’s going to drive Apple Pay on the web, saving you from ever filling out your credit card information again. And it’s going to do it more safely than a password ever could.
“It’s great, I’m so excited,” says Schuckers. “I just can’t wait.”