Magic Keyboard with Touch ID
The Magic Keyboard with Touch ID (and the Magic Keyboard with Touch ID and Numeric Keypad) provides a Touch ID sensor in an external keyboard that can be used with any Mac with Apple silicon. The Magic Keyboard with Touch ID performs the role of the biometric sensor; it doesn’t store biometric templates, perform biometric matching or enforce security policies (for example, having to enter the password after 48 hours without an unlock). The Touch ID sensor in the Magic Keyboard with Touch ID must be securely paired to the Secure Enclave on the Mac before it can be used, and then the Secure Enclave performs the enrolment and matching operations and enforces security policies in the same way it would for a built-in Touch ID sensor. Apple performs the pairing process in the factory for a Magic Keyboard with Touch ID that’s shipped with a Mac. Pairing can also be performed by the user if needed. A Magic Keyboard with Touch ID can be securely paired with only one Mac at a time, but a Mac can maintain secure pairings with up to five different Magic Keyboard with Touch ID keyboards.
The Magic Keyboard with Touch ID and built-in Touch ID sensors are compatible. If a finger that was enrolled on a built-in Mac Touch ID sensor is presented on a Magic Keyboard with Touch ID, the Secure Enclave in the Mac successfully processes the match — and vice versa.
To support secure pairing and thus communication between the Mac Secure Enclave and the Magic Keyboard with Touch ID, the keyboard is equipped with a hardware Public Key Accelerator (PKA) block to provide attestation, and with hardware-based keys to perform the necessary cryptographic processes.
Secure pairing
Before a Magic Keyboard with Touch ID can be used for Touch ID operations, it needs to be securely paired to the Mac. To pair, the Secure Enclave on the Mac and the PKA block in the Magic Keyboard with Touch ID exchange public keys, rooted in the trusted Apple CA, and they use hardware-held attestation keys and ephemeral ECDH to securely attest to their identity. On the Mac, this data is protected by the Secure Enclave; on the Magic Keyboard with Touch ID, this data is protected by the PKA block. After secure pairing, all Touch ID data communicated between the Mac and the Magic Keyboard with Touch ID is encrypted by AES-GCM with a key length of 256 bits, and with ephemeral ECDH keys using NIST P-256 curve based on the stored identities. For more information on using the keyboard in wireless mode, see Bluetooth security.
Secure intent to pair
To perform some Touch ID operations for the first time, such as enrolling a new fingerprint, the user must physically confirm their intent to use a Magic Keyboard with Touch ID with the Mac. Physical intent is confirmed by pressing twice on the Mac power button when indicated by the user interface, or by successfully matching a fingerprint that had previously been enrolled with the Mac. For more information, see Secure intent and connections to the Secure Enclave.
Apple Pay transactions can be authorised with a Touch ID match or by entering the macOS user password and pressing twice on the Touch ID button on the Magic Keyboard with Touch ID. The latter allows the user to confirm physical intent even without a Touch ID match.
Magic Keyboard with Touch ID channel security
To help ensure a secure communication channel between the Touch ID sensor in the Magic Keyboard with Touch ID and Secure Enclave on the paired Mac, the following are required:
The secure pairing between the Magic Keyboard with Touch ID PKA block and the Secure Enclave as described above
A secure channel between the Magic Keyboard with Touch ID sensor and its PKA block
The secure channel between the Magic Keyboard with Touch ID sensor and its PKA block is established in the factory by using a unique key shared between the two. (This is the same technique used to create the secure channel between the Secure Enclave on the Mac and its built-in sensor for Mac computers with Touch ID built-in.)