The exact language of this additional timeout is: “The passcode has not been used to unlock the device in the last six days and Touch ID has not unlocked the device in the last eight hours.”
Neither Mogull nor Zdziarski could determine why this period of time had been chosen. Zdziarski said he’s been asking Apple for some time to either set the timeout period to eight hours, down from 48, or to allow users to select a period of time. He would also like to see an option to require a passcode based on a geofence—a coordinate-based defined region. “I would love it to automatically kill the fingerprint altogether or set the expiration down to even 4 hours or 8 hours if I’m not inside some geofence I’ve set up,” he said.
An iOS device can have its Auto-Lock setting changed without a passcode, and one of the options for Auto-Lock is never. With that option engaged and continuous power, as long as the iOS device isn’t restarted or the Sleep/Wake button pressed, the phone should remain continuously unlocked. In that situation, the Touch ID timeout conditions never come into play.
However, if the device ever becomes locked or is seized while locked, it’s a different story. Because a law-enforcement or other government agent or a malicious party wouldn’t necessarily know the last time the passcode was entered, it raises the stakes higher than the 48-hour timeout. There would typically be no way for another party to know if the six-day period had passed, nor whether Touch ID had been used in the previous eight hours to unlock the iPhone or iPad.
It remains unclear precisely why Apple added this requirement, but finding this new bullet point clears up the mystery of why your iPhone and iPad love the smell of freshly entered passcodes in the morning.
Sign up for CIO Asia eNewsletters.