When iOS 9 was released, Apple updated its list of cases in which iOS asks for a passcode even when Touch ID is enabled. A previously undocumented requirement asks for a passcode in a very particular set of circumstances: When the iPhone or iPad hasn’t been unlocked with its passcode in the previous six days, and Touch ID hasn’t been used to unlock it within the last eight hours. It’s a rolling timeout, so each time Touch ID unlocks a device, a new eight-hour timer starts to tick down until the passcode is required. If you wondered why you were being seemingly randomly prompted for your passcode (or more complicated password), this is likely the reason.
The list previously included (and still includes) restarting the device, five failed fingerprint recognition attempts, receiving a remote lock command via Find My iPhone, enrolling new fingerprints in Touch ID, and not having been unlocked in any fashion in 48 hours. These rules are in place ostensibly to prevent compelling or coercing someone to provide a fingerprint, raising the bar to demanding or cracking a passcode instead.
This addition came before the San Bernardino case and the Department of Justice and FBI’s now-abandoned efforts to get Apple to provide a custom operating system to unlock a phone. However, it might have some bearing when a court order is issued to compel someone to use a fingerprint to unlock an iOS device, as in a recent case. This timeout would add an additional ticking clock, but wouldn’t necessarily affect the outcome. Some courts have required parties enter a password to decrypt a device or a hard drive, though whether that constitutes self-incrimination hasn’t yet made its way to higher courts.
Users (including this reporter) began noticing this change in the last several weeks, even though an Apple spokesperson says it was added in the first release of iOS 9. However, a bullet point describing this restriction only appeared in the iOS Security Guide on May 12, 2016, according to the guide’s internal PDF timestamp. Apple declined to explain the rationale for this restriction.
An unnoticed rule, but triggering more often?
Macworld was alerted to this change when reader David Shanahan emailed the Mac 911 help column about being prompted for his passcode on both an iPad Air 2 and an iPhone 6 once or twice a week in the morning after leaving them charging overnight. That had also been this writer’s experience.
Security expert and Macworld contributor Rich Mogull confirmed he had seen the change in behavior, and didn’t realize until he was asked about the restriction, which he then confirmed he hadn’t previously seen mentioned or documented. Researcher Jonathan Zdziarski also confirmed that he hadn’t seen this requirement before, and said, “It explains what the hell’s been going on with my phone, though!”
The exact language of this additional timeout is: “The passcode has not been used to unlock the device in the last six days and Touch ID has not unlocked the device in the last eight hours.”
Neither Mogull nor Zdziarski could determine why this period of time had been chosen. Zdziarski said he’s been asking Apple for some time to either set the timeout period to eight hours, down from 48, or to allow users to select a period of time. He would also like to see an option to require a passcode based on a geofence—a coordinate-based defined region. “I would love it to automatically kill the fingerprint altogether or set the expiration down to even 4 hours or 8 hours if I’m not inside some geofence I’ve set up,” he said.
An iOS device can have its Auto-Lock setting changed without a passcode, and one of the options for Auto-Lock is never. With that option engaged and continuous power, as long as the iOS device isn’t restarted or the Sleep/Wake button pressed, the phone should remain continuously unlocked. In that situation, the Touch ID timeout conditions never come into play.
However, if the device ever becomes locked or is seized while locked, it’s a different story. Because a law-enforcement or other government agent or a malicious party wouldn’t necessarily know the last time the passcode was entered, it raises the stakes higher than the 48-hour timeout. There would typically be no way for another party to know if the six-day period had passed, nor whether Touch ID had been used in the previous eight hours to unlock the iPhone or iPad.
It remains unclear precisely why Apple added this requirement, but finding this new bullet point clears up the mystery of why your iPhone and iPad love the smell of freshly entered passcodes in the morning.