Check out the rest of the videos in this special course: The Practical Guide To Mac Security.
Touch ID makes it more convenient to log on to your Mac and perform other tasks. By making it easier it encourages more people to use stronger account passwords.
▶ You can also watch this video at YouTube.
▶
▶ Watch more videos about related subjects: Security (138 videos).
▶
▶ Watch more videos about related subjects: Security (138 videos).
Video Summary
In This Tutorial
How Touch ID works on a Mac, why it is secure rather than a weakness, when a password is still required, and how it actually encourages stronger overall security.
Intro
- Touch ID, available on newer MacBook Pro and MacBook Air models (and newer iMac keyboards), lets you unlock your computer with a fingerprint, and although it may seem less secure than a password, there are several reasons it is not.
Touch ID Unlocks Your Password Rather Than Replacing It
- Touch ID does not replace your password but unlocks it, effectively typing the password for you each time, and your fingerprint is stored only in a secure piece of hardware on the device itself, never sent to Apple or synced through iCloud, which is why it must be set up separately on each device.
How Reliable the Sensor Is
- Apple estimates a one in fifty thousand chance of a fingerprint error, making it extremely unlikely a thief could unlock your MacBook by fingerprint, roughly between a four and five digit passcode in strength but stronger because a fingerprint cannot be repeatedly guessed.
When a Password Is Still Required
- A password, not Touch ID, is required after a restart or logout, after the Mac has been idle for 48 hours, to change Touch ID or the password, after five failed fingerprint attempts, and when a Mac is locked remotely with Find My, so the most sensitive actions always fall back to the password.
How Touch ID Improves Overall Security
- Because logging in is easier, Touch ID encourages people who avoid account passwords to use one, and it encourages longer, stronger passwords since you rarely have to type them, turning a weak short password into a willingness to use a longer randomly generated one.
Setting Up and Configuring Touch ID
- Touch ID is set up during initial Mac setup or later in System Preferences, Touch ID, where you can add multiple fingerprints (such as different fingers) and adjust the settings that control which actions Touch ID is allowed to authorize versus requiring a password.
Summary
Touch ID does not weaken Mac security; it unlocks your password using a fingerprint stored securely on the device and never shared. A password is still required for the most sensitive actions and after failed attempts or long idle periods, while a one in fifty thousand error rate makes fingerprint spoofing impractical. The best balance of security and convenience is to pair Touch ID with a longer, stronger password, letting you rely on the fingerprint day to day and enter the strong password only occasionally.
Video Transcript
This is Gary with MacMost.com. This is Part 19 of my course The Practical Guide to Mac Security. This course is brought to you thanks to my great Patreon supporters. Go to MacMost.com/patreon to find out more and join us.
So Touch ID is a feature that you get on newer MacBook Pros and MacBook Air. It allows you to unlock your computer by just using your fingerprint. Now you may think that this sounds less secure. After all instead of having to enter your password you can just use your fingerprint and perhaps there's some way to more easily get around a fingerprint lock than a password lock. But there are several reasons why it's not.
First, you still need your password for many things. So it doesn't replace the password. It's not instead of the password. In fact, what Touch ID really does is it unlocks the password itself. So every time you use Touch ID it's typing the password for you. But to get access to that password it's using your fingerprint. Also, a lot of people are worried about registering their fingerprint on their Mac thinking that where could that fingerprint go. Is it stored by Apple? It's actually stored in a secure place on your Mac. In a secure piece of hardware. So if you were to setup Touch ID on an iPhone and Touch ID on your MacBook notice that it doesn't pull it through iCloud or anything like that. You have to actually set it up individually for each device. It's stored just on the device. It's never sent anywhere.
If you're worried about there being an error because fingerprints, while unique for everybody, can be similar and perhaps maybe the sensor isn't perfect. Apple estimates a one in fifty thousand chances of an error. Which means the chances of somebody stealing your MacBook and then being able to use the fingerprint sensor to get access is extremely remote. If you think about passwords and passcodes on phones, a one in fifty thousand chance is kind of halfway between a four and five digit code on the phone. Having to guess it over and over again except that you can't guess a fingerprint. You have to either try your fingerprint or not. So, it really is pretty impossible to fool a fingerprint sensor.
Now note that when you use Touch ID a password is still needed in a lot of cases. For instance, if you log out of Restart, when you log back in you have to enter your password. Also, if you haven't used your Mac in 48 hours, so it's just been sitting there asleep or off for 48 hours, then you need to use it. You can't just use the fingerprint. It has to be a password. You can't change your Touch ID using your fingerprint. You have to enter your password or if you want to change your password it's also going to ask you for your password. So a lot of the highest most secure, most sensitive things require a password not Touch ID. If you try five attempts with the fingerprint it's going to then require your password. So you can see how there the one in fifty thousand chances of randomly having the wrong fingerprint unlock your Mac kind of stops there because you can't just keep guessing. After five attempts, five fingerprints that have been tried, it's going to lock somebody out. You could also use Find My as we looked at before to lock the Mac. At that point it has to use a password to get in, not Touch ID.
Now here's how Touch ID helps to improve security. Now this may not affect your as an individual but it affects Mac users in general. First, there's still a lot of Mac users that don't use an account password. They find it inconvenient. This is a shame because it's, of course, critical for security as we have learned. But Touch ID makes it so much easier to login. It will encourage more people to use a password. Instead of having to enter the password throughout the day for many different things you can go from day to day using Touch ID and only occasionally need to use the password. Also it encourages longer and stronger passwords. If maybe you've set your Mac's password to be something very short, like maybe only six characters, maybe even a word or something that's a weak password, this may encourage you to use a longer, stronger password knowing that you rarely have to enter it in. Instead of many times a day, maybe once a day or less.
So let's take a look at Touch ID. Of course you find it in System Preferences on MacBooks that have a Touch ID. Of course that includes the new iMacs which have Touch ID on the keyboard. Then when you setup your Mac you are prompted to use Touch ID and to register your fingerprint. But you could always go into System Preferences here. Go to Touch ID and then from there you can add new fingerprints and set Settings here. So, you see how you could even take away some of the privileges of Touch ID if you want to force a password to be used at a specific moment when different things are done. You can kind of set the level of when Touch ID is used and when it's not used. Also, you can add more fingerprints. So if you find sometimes you use your left index finger instead of your right index finger you can add both of those or you can add more of your fingers or your thumb to Touch ID.
So you should definitely use Touch ID. Not be afraid to use it. If you want ultimate security for your Mac then you would just use a long, strong password and not use Touch ID. But a good compromise is to use Touch ID and then use a longer, stronger password for your Mac. So in the past you may have used an eight character password that's easy to type. Maybe extend that to a ten or thirteen character password that's randomly generated. Then pair that with using Touch ID so you're not always typing this strong password. That combination gives you fairly good security on your Mac while also giving you some level of convenience.
I was using touch ID on my IPhone, until watching a TV show were they used a touch ID on a dead person to open their phone.
I thought it made me valuable.
I really don't see the advantage in requiring a password instead of my fingerprint when I restart my M1 iMac.
I still haven't found an online store that I want to buy from using touch id.
Touch ID works fine for me and it's very quick.
If you're not working for a criminal organization or for an intelligence service, then 1 in 50,000 is good enough.
Nice and informative as always, Gary. What fingerprint sensor could I use for my iMac?
Bob: The newest iMacs come with a keyboard that includes Touch ID. But if you have an older iMac, there's no way to add it. It isn't as easy as adding a peripheral as this has to be integrated into the security hardware of the machine.