From what I remember, Apple’s biometrics are designed so that the biometric “fingerprint” never leaves a Secure Enclave processor. I don’t know how standard this is on other platforms, but it seems to me to be preferable because it even offers some degree of protection against rootkits or other forms of malware.
As far as I know, that’s correct. macOS never sees any of the fingerprint data, and thus it can’t be read or intercepted easily.
The Secure Enclave can also store various keys, which apps like Secretive[0] can use to store and gate access to things like SSH keys with. Feels a little nicer than letting them rattle around loose in ~/.ssh/ where any passerby can pick them up, is more convenient than an a USB key, and lets me know when something is trying to use it by way of unexpected Touch ID prompt. It’s a feature I miss when using my Windows/Linux laptop.
Does that mean that Bluetooth keyboards with Touch ID also have a Secure Enclave on them? I guess there’s some additional security that ensures you can’t spoof that keyboard’s response?
From what I understand, the keyboard just acts as a sensor, but doesn't store anything - neither securely nor otherwise.
"The Magic Keyboard with Touch ID performs the role of the biometric sensor; it doesn’t store biometric templates, perform biometric matching or enforce security policies (for example, having to enter the password after 48 hours without an unlock). The Touch ID sensor in the Magic Keyboard with Touch ID must be securely paired to the Secure Enclave on the Mac before it can be used, and then the Secure Enclave performs the enrolment and matching operations and enforces security policies in the same way it would for a built-in Touch ID sensor."
