Touch ID for Mac - No Thanks

Excited about Touch ID for Mac? You might want to reconsider.

The long awaited, brand new MacBook Pro announced in October created quite the stir in the Mac / Tech community. Beyond the updated specs and thinner case that was expected, they’ve increased the price a non-trivial amount to include the Touch Bar on almost every model. (Not to mention the other controversial decisions around USB-C ports only, arguably worse keyboard, lack of 32GB RAM options, etc.) I understand there’s not much innovation in the CPU space, but I think after 500 days with no update, many people would have been extremely happy with just a simple spec bump and maybe some weight reduction. Instead, we get an additional interface that we may or may not need. Time will tell if that’s the right choice.

One additional feature the new MBP added that PC users have been enjoying for years is the Touch ID sensor. I use Touch ID on my iPhone, and absolutely love the speed and convenience of unlocking my device. I understand why so many are excited to now be able to unlock their computer with just a fingerprint. However, I would recommend thinking twice before automatically using this feature.

I’m not quite as paranoid as some, but I do try to think about the security implications when making decisions like this. Touch ID provides a great convenience on my phone since I unlock it many times every day. This is helped by the fact that I don’t typically store sensitive data on my phone, or if I do like in the case of 1Password, I don’t use TouchID to unlock that particular data. There are a couple of main reasons for this decision.

  • Law enforcement can require you to unlock your phone with a fingerprint. However, they can’t force you to provide your passcode. (If you are joining a protest, for instance, there’s a reason they suggest turning off Touch ID before the event)
  • Researchers have found ways to recreate your fingerprint, through photos or even lifting the print from your phone directly, which allows them to gain access.

Of course, I can take steps to limit my risk, such as rebooting my phone if I’m ever detained so it requires the passcode instead of the fingerprint to unlock. And Apple has recently updated some of the default policies to be more secure, such as requiring the passcode after a certain time period of not being unlocked. Those seem fairly reasonable, especially for a device that doesn’t have overly sensitive data.

I understand the desire to add this functionality to your Mac as well. This is especially true if, like me, you work in an office environment and step away from your computer often, and need to lock/unlock it for privacy. Touch ID in this case would be super convenient.

My Macs, however, contain almost all of my personal and sensitive data. Everything from my 1Password vault, tax returns, photos, emails, journals, photos, to sensitive documents. To limit my risk and exposure, I turn on FileVault2 (which everyone should do) on every Mac I own to prevent access to my files in case of loss or theft. By enabling Touch ID, the same exploits used to access your phone can now be used on your computer itself.

The trade off of security for convience makes sense in certain situations, such as with your mobile device. But, for a device that contains so much personal and sensitive information, using Touch ID is not worth the risk. Fingerprints are good for identity verification, but lousy as an authentication method. Take that into consideration as you start receiving your new computers with the fingerprint readers.