Apple has been granted a patent (number 10,872,152) for “provision of domains in secure enclave to support multiple users.” It hints at multi-user support finally coming to iPad and iPhone devices. However, the tech giant ants to make such support safe and protective of your data.
Computing devices such as iPhones and iPads can employ passcode protection to protect data stored on the device. They can prevent unauthorized access to stored data using protection mechanisms in including presenting a login screen that requires a user to provide a user name/password combination and/or a numeric or alphanumeric passcode.
Before a user can obtain access to data stored on the computing device, the user may be required successfully authenticate via the login screen. However, as Apple notes, it may still be possible to gain access to data stored on the computing system without knowledge of a username/password or passcode if the data is stored in an unencrypted manner.
A malicious attacker may be able to extract data directly from the memory. If the attacker has physical access to the computing system, the attacker can remove one or more storage devices from the system and access those devices via a different system.
Computing device passcodes can be used to enable data encryption by providing entropy to an encryption algorithm that enables the generation of one or more per-user keys that may then be used secure data within the computing system. The per-user keys can be combined with system or group keys to provide enable multi-layer encryption of data and encryption keys to defend against data that is accessed outside of the normal login process, for example, via physical access to a storage device.
Apple wants iPads and iPhones to be able to support one user through “several passcodes and associated encryption keys. However, the company also wants those keys to “secure data within the computing system.”
Here’s the (somewhat technical) summary of the patent: “Embodiments described herein provide for a system, method, and apparatus to provision domains in a secure enclave processor to support multiple users. One embodiment provides for an apparatus comprising a first processor to receive a set of credentials associated with one of multiple user accounts on the apparatus and a second processor including a secure circuit to provide a secure enclave, the secure enclave to receive a request from the first processor to authenticate the set of credentials, the request including supplied credentials and an authentication type, where the secure enclave is to block the request from the first processor in response to a determination that the user account has exceeded a threshold number of successive failed authentication attempts for the authentication type.”