The biometric part is incidental. The thing that makes it more secure is that authentication is done by a separate trusted system: the secure enclave, which has its own separate processor, OS, and input device. The primary OS tells the secure enclave to start a security challenge, and then the secure enclave reports success if you scan your finger or nothing if you don't. Malware can't fake this response (at least not without having already pwned your system to an extent that it doesn't need your password), and popping up a fake TouchID dialog doesn't really achieve much of anything. Infecting the secure enclave with malware would let you break everything, but unlike the primary OS it's not designed to run third-party software, so that's significantly harder to do.

FaceID swaps out the fingerprint reader for facial recognition but the actual security features are the same. Yubikeys are the same high-level concept, although the implementation is quite different.

A yubikey can still be MITM’d with a fake OTP dialog. Anyone who has worked around them for long enough has seen a yubisneeze.

Because of how https://developer.apple.com/documentation/localauthenticatio... works, comparing touchID to yubikeys doesn’t make sense to me.

Are these dialogs always rendered on top? I can imagine it wouldn't be too hard to perform some malicious high-risk actions (elevating permissions, disabling protections) and hiding the permission prompt by overlaying something a copy with something that sounds more benign.

You're not leaking credentials there, but if you can get the user to give away the right permissions, you don't need to.

On Android, where apps have the ability to draw on top of other apps (used for things like pop-out players and night light apps) it used to be possible to trick the user into opening their phone's settings and guiding them through a bunch of security options by overlaying a game and letting the taps fall through to the underlying app. This makes me wonder how well-protected macOS is against that kind of attack.

From what I remember, Apple’s biometrics are designed so that the biometric “fingerprint” never leaves a Secure Enclave processor. I don’t know how standard this is on other platforms, but it seems to me to be preferable because it even offers some degree of protection against rootkits or other forms of malware.

As far as I know, that’s correct. macOS never sees any of the fingerprint data, and thus it can’t be read or intercepted easily.

The Secure Enclave can also store various keys, which apps like Secretive[0] can use to store and gate access to things like SSH keys with. Feels a little nicer than letting them rattle around loose in ~/.ssh/ where any passerby can pick them up, is more convenient than an a USB key, and lets me know when something is trying to use it by way of unexpected Touch ID prompt. It’s a feature I miss when using my Windows/Linux laptop.

[0]: https://github.com/maxgoedjen/secretive

Does that mean that Bluetooth keyboards with Touch ID also have a Secure Enclave on them? I guess there’s some additional security that ensures you can’t spoof that keyboard’s response?

Correct!

I don't think so.

https://support.apple.com/en-in/guide/security/secf60513daa/...

From what I understand, the keyboard just acts as a sensor, but doesn't store anything - neither securely nor otherwise.

"The Magic Keyboard with Touch ID performs the role of the biometric sensor; it doesn’t store biometric templates, perform biometric matching or enforce security policies (for example, having to enter the password after 48 hours without an unlock). The Touch ID sensor in the Magic Keyboard with Touch ID must be securely paired to the Secure Enclave on the Mac before it can be used, and then the Secure Enclave performs the enrolment and matching operations and enforces security policies in the same way it would for a built-in Touch ID sensor."

Wow! Things have come so far now that my keyboard is a whole secure computer with a radio as well as a keyboard!