Did Apple get this backward?

[Alan Karp]

My new Mac has a fingerprint login feature.  Very convenient.  However, it doesn't work after a reboot, so I have to use my password.  My first reaction was that's for security reasons, but I realized that the fingerprint is more secure.  Any idea why Apple does that?

--------------
Alan Karp

[Matt Rice]

On Tue, Feb 17, 2026 at 3:28 AM Alan Karp <alan...@gmail.com> wrote:
>
> My new Mac has a fingerprint login feature. Very convenient. However, it doesn't work after a reboot, so I have to use my password. My first reaction was that's for security reasons, but I realized that the fingerprint is more secure. Any idea why Apple does that?
>

My guess would be that a sleeping person, detached finger can pass the
fingerprint scanner,
requiring a password presumably ensures some level of consciousness.

[William ML Leslie]

I don't know if this is why apple made that decision, but I'm with you that fingerprint scans are much less operationally secure.  You leak your fingerprint all over the place, and if you discover that an attacker has obtained your print, you can't revoke it.

This matches the behaviour of phones, too.  They tend to require a pin on boot.  I wonder if the reason is something technical about how the TEE works, rather than genuine threat analysis.

 

--

William ML Leslie

"AI is a tool" - but not, like, a pencil or even a hammer where every problem is confused with a nail - it's more like a plastic spork, occasionally less useless than nothing.

[Mark S. Miller]

Encrypted disk needs decryption key. Where is that key? Fingerprints cannot generate deterministic bits

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CAHgd1hFRVut-iPcxZJo0C68%2BV2MayH%2BkKSkABEuG1JxqGq0jSA%40mail.gmail.com.

[Tony Arcieri]

On Tue, Feb 17, 2026 at 9:54 AM 'Mark S. Miller' via friam <fr...@googlegroups.com> wrote:

Encrypted disk needs decryption key. Where is that key? Fingerprints cannot generate deterministic bits

The key is in the Secure Enclave Processor, and it does handle TouchID, which can be used to authenticate/authorize access to the key.

Though the more interesting part about a passcode for unlocking a key is it can be fed into a PBKDF for deriving the key, with the number of allowed attempts also controlled by the SEP, which could go far as to wipe the base derivation key if it suspects tampering or an attack.

 

--

Tony Arcieri

[Alan Karp]

Here's a couple of things I learned by asking perplexity.ai.

It's really hard to use a fingerprint taken from something like a glass because the sensor uses capacitive imaging of the skin structure just under the surface.

Apple's security model treats the password as the root of trust and biometrics as a convenience.

There is a KEK (key encryption key) that is re-derived after reboot from your password.  A biometric isn't accurate enough for that.

--------------
Alan Karp

--

You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/friam/CAHOTMVLFZbJR3KV_DYLZ_DbaY%3DwJifY3Q00ch4-d0ZjKiizKtQ%40mail.gmail.com.