Apple patent involves multi-user support for iOS, iPadOS devices — Apple World Today

Before a user can obtain access to data stored on the computing device, the user may be required successfully authenticate via the login screen. However, as Apple notes, it may still be possible to gain access to data stored on the computing system without knowledge of a username/password or passcode if the data is stored in an unencrypted manner. 

A malicious attacker may be able to extract data directly from the memory. If the attacker has physical access to the computing system, the attacker can remove one or more storage devices from the system and access those devices via a different system. 

Computing device passcodes can be used to enable data encryption by providing entropy to an encryption algorithm that enables the generation of one or more per-user keys that may then be used secure data within the computing system. The per-user keys can be combined with system or group keys to provide enable multi-layer encryption of data and encryption keys to defend against data that is accessed outside of the normal login process, for example, via physical access to a storage device. 

Apple wants iPads and iPhones to be able to support one user through “several passcodes and associated encryption keys. However, the company also wants those keys to “secure data within the computing system.”

Here’s the (somewhat technical) summary of the patent: “Embodiments described herein provide for a system, method, and apparatus to provision domains in a secure enclave processor to support multiple users. One embodiment provides for an apparatus comprising a first processor to receive a set of credentials associated with one of multiple user accounts on the apparatus and a second processor including a secure circuit to provide a secure enclave, the secure enclave to receive a request from the first processor to authenticate the set of credentials, the request including supplied credentials and an authentication type, where the secure enclave is to block the request from the first processor in response to a determination that the user account has exceeded a threshold number of successive failed authentication attempts for the authentication type.”