Apple is researching the development of Secure Enclave technology to allow more users to share an iPhone or iPad without disclosing private information to other users.
“Providing domains in a secure enclave to support more users,” is a new patent for Apple that is highly specific to allowing multiple users to use one device. That could mean Macs as much as iOS. Apple even refers to “both single-user mobile computing devices and multi-user computing devices for laptops and desktops.”
Since Mac already has support for multiple users, however, the most likely goal of this patent is to bring this functionality to iOS devices. And above all, to do it safely.
“A computing device can use multiple access codes and associated encryption keys, where multiple access codes or encryption keys can be associated with each different user account in the system,” says the patent.
“Before a user can access the data stored on the computing device, the user may be required to successfully log in via the login screen,” he continues. “However, it may still be possible to gain access to data stored on your computer without knowing a username / password or a password if the data is stored in an unencrypted way.”
“A malicious attacker can extract data directly from memory,” the patent continues. “If the attacker has physical access to the computer system, the attacker may remove one or more storage devices from the system and may access those devices through another system.”
So, in addition to being concerned about recognizing multiple users with “multiple access codes and associated encryption keys,” Apple wants these keys to “secure data in the computing system.”
If Apple applies this to iOS devices, then naturally each user must have their personal information secured, from connections to Apple Pay details. However, each user will also need access to certain shared features of the device, such as his or her web browser, or no sense in using the iPhone.
“[Consequently, to] allows multiple users to access the data processing system, group keys can be created so that by belonging to a group in the system (eg administrators, users, etc.) they can allow different levels of access to the system “, says patent.
Much of the patent details focus on “using a peripheral processor or processing system separate from system processors.” This peripheral processor “is a system on a chip integrated circuit (SoC) that allows various secure peripheral and input / output (I / O) operations.”
Apple does not want to commit to specifically mentioning the T2 chip, but says that this system “may include a secure enclave processor (SEP).”
Patent details that show an authentication configuration before a user can access data on the device
What is favorable is how that SEP, or similar, limits access to what the specific user is authorized to use. SEP can be the “primary arbiter of all data accesses in the system”, which means that everything must be routed through this future version of the T2 chip.
As part of this, the patent details the methods by which an authorized user can set what another user can see. It discusses how the ordinary system or a rogue user “cannot gain access to resources within the SEP”.
Aside from the potential for multiple users to share a device, most of this security is hidden behind the familiar access code or possibly Face ID. However, what a user might see includes what happens when they enter the wrong password.
We are already familiar with the idea that after so many failed connection attempts, you will be blocked. Apple’s patent suggests that before reaching this stage, the system could be deliberately slowed down.
“Access code restriction can be enabled on some single-user mobile computing devices, such as smartphone or tablet computing devices,” he says, “to limit the rate at which an unauthorized user can try to enter incorrect access codes. ”
“As an additional technique, the access code entry rate may be limited after a predetermined number of incorrect authentication attempts,” he continues. “Limiting the rate of incorrect attempts offers several benefits, including limiting the likelihood of an accidental blockage and frustrating the ability of a malicious attacker to carry out a brute force passcode attack.”
This patent is credited to three inventors, Pierre Olivier Martel, Arthur Mesh and Wade Benson. Among their many previous related patents is one on multi-user access to data containers on a single device.
The new patent is far from Apple’s first research on multiple users on an iOS device. As early as 2013, it applied for a comprehensive patent for multiple users of the same Touch ID compatible device.