[Tyrannosaurs]

I think Apple are pretty aware of the limitations - they don't accept TouchID on first login after a restart, for the first purchase after a restart, if it's been 48 hours since an unlock or for resets/major config changes. For that you either need the PIN or, if you've opted for more security, the password.

Overall it feels that Apple's take is for day to day login it's better than a four digit PIN and it's better than no PIN.

[redwall_hp]

>they don't accept TouchID on first login after a restart

That's because the hash of the print is stored on an encrypted volume of some kind, which requires your regular password to decrypt after a cold boot. Once the hash is in memory, the fingerprint can be used instead.

[kosmopolska]

I'm not sure I'm following what you're saying a 100%, but based on this [1] i don't think the fingerprint hash is ever in memory. The TouchID camera sends the fingerprint hash directly to the secure enclave, where it is compared to the one saved there, and then the secure enclave sends a yes or no to memory, at least that's my interpretation

1. http://support.apple.com/kb/HT5949?viewlocale=en_US&locale=e...

[whafro]

I believe he meant "once the [password] hash is in memory"

[mikeash]

Is it because of that, or is it implemented that way because they wanted to ensure that TouchID couldn't be accepted after a fresh restart? I think you may have the causality backwards, since they could have easily stored things in such a way that your fingerprint worked after a fresh reboot if they wanted to.