When iOS 9 was released, Apple updated its list of cases in which iOS asks for a passcode even when Touch ID is enabled. A previously undocumented requirement asks for a passcode in a very particular set of circumstances: When the iPhone or iPad hasn’t been unlocked with its passcode in the previous six days, and Touch ID hasn’t been used to unlock it within the last eight hours. It’s a rolling timeout, so each time Touch ID unlocks a device, a new eight-hour timer starts to tick down until the passcode is required. If you wondered why you were being seemingly randomly prompted for your passcode (or more complicated password), this is likely the reason.
The list previously included (and still includes) restarting the device, five failed fingerprint recognition attempts, receiving a remote lock command via Find My iPhone, enrolling new fingerprints in Touch ID, and not having been unlocked in any fashion in 48 hours. These rules are in place ostensibly to prevent compelling or coercing someone to provide a fingerprint, raising the bar to demanding or cracking a passcode instead.
This addition came before the San Bernardino case and the Department of Justice and FBI’s now-abandoned efforts to get Apple to provide a custom operating system to unlock a phone. However, it might have some bearing when a court order is issued to compel someone to use a fingerprint to unlock an iOS device, as in a recent case. This timeout would add an additional ticking clock, but wouldn’t necessarily affect the outcome. Some courts have required parties enter a password to decrypt a device or a hard drive, though whether that constitutes self-incrimination hasn’t yet made its way to higher courts.
Users (including this reporter) began noticing this change in the last several weeks, even though an Apple spokesperson says it was added in the first release of iOS 9. However, a bullet point describing this restriction only appeared in the iOS Security Guide on May 12, 2016, according to the guide’s internal PDF timestamp. Apple declined to explain the rationale for this restriction.
An unnoticed rule, but triggering more often?
Macworld was alerted to this change when reader David Shanahan emailed the Mac 911 help column about being prompted for his passcode on both an iPad Air 2 and an iPhone 6 once or twice a week in the morning after leaving them charging overnight. That had also been this writer’s experience.
Security expert and Macworld contributor Rich Mogull confirmed he had seen the change in behavior, and didn’t realize until he was asked about the restriction, which he then confirmed he hadn’t previously seen mentioned or documented. Researcher Jonathan Zdziarski also confirmed that he hadn’t seen this requirement before, and said, “It explains what the hell’s been going on with my phone, though!”
Sign up for CIO Asia eNewsletters.