Apple is researching a development of its Secure Enclave technology to securely enable multiple users to share one iPhone or iPad without revealing private information to the other users.
“Providing domains in secure enclave to support multiple users,” is a new patent granted to Apple that is very specific about allowing more than one user to use a device securely. That could mean as many Macs as iOS. In fact, Apple refers to “single-user mobile computers as well as multi-user laptop and desktop computers”.
Since the Mac already has multi-user support, it’s more likely that this patent is intended to bring that functionality to iOS devices. And especially to do that safely.
“A computing device can use different access codes and associated encryption keys, with multiple access codes or encryption keys associated with each different user account on the system,” says the patent.
“Before a user can access data stored on the computing device, the user may need to successfully authenticate via the login screen,” it continues. “However, it may still be possible to access data stored on the computer system without knowledge of a username / password or access code if the data is stored in an unencrypted manner.”
“A malicious attacker could potentially retrieve data directly from memory,” the patent continues. “If the attacker has physical access to the computer system, the attacker could remove one or more storage devices from the system and gain access to those devices through another system.”
So Apple not only wants to recognize more than one user through “different access codes and associated encryption keys,” but also wants those keys to “secure data within the computer system.”
Of course, if Apple does apply this to iOS devices, then every user must have their personal information secure, from login credentials to Apple Pay information. But each user also needs to access certain shared functions of the device, such as the web browser, or there is no point in using the iPhone.
“[Consequently, to] To enable multi-user access to the data processing system, group keys can be created so that through membership of a group on the system (e.g. administrators, users, etc.) different levels of access to the system can be enabled, ” says the patent.
Much of the details of the patent are about “using a peripheral processor or processing system that is separate from the system processors.” This peripheral processor “is a system on a chip (SoC) integrated circuit that enables various secure peripherals and input / output (I / O) operations.”
Apple does not want to specifically mention the T2 chip, but it does say that this system “may include a secure encryption processor (SEP).”
Detail of the patent with a configuration of authentication before a user can access data on the device
What it might label is how that SEP, or something like that, restricts access to only what the specific user is allowed to use. The SEP can be “the primary arbiter of all data access on the system,” meaning that everything must run through this future version of the T2 chip.
As part of this, the patent describes the methods of how an authorized user can set what another user can see. It discusses how the mainstream system, or a rogue user, “cannot access resources within the SEP.”
Aside from the potential for multiple users to share a device, most of this security is hidden behind the known passcode or possibly Face ID. However, what a user can see also includes what happens if they enter the wrong passcode.
We already know that you will be locked out after so many failed login attempts. Apple’s patent suggests that before you get there, the system may be intentionally slowed down.
“Passcode restriction can be enabled on some single-user mobile computers, such as smartphones or tablets,” he says, “to limit the speed at which an unauthorized user can attempt to enter incorrect passcodes.”
“As an additional technique, the speed at which the passcode is entered may be limited after a predetermined number of incorrect authentication attempts,” it continues. “Limiting the number of malicious attempts has several benefits, including limiting the chance of an accidental lockout occurring and frustrating a malicious attacker’s ability to brute-force a passcode attack.”
This patent is attributed to three inventors, Pierre Olivier Martel, Arthur Mesh and Wade Benson. Among their many related previous patents is one regarding multiple user access to data containers on one device.
The new patent is far from Apple’s first investigation of multiple users on an iOS device. As early as 2013, it filed for an extensive patent for multiple users of the same Touch ID device.