I don't think many (outside of perhaps Apple PR?) have argued that fingerprint security is great, absolutely speaking. Relatively speaking, however, it is great, as many phone owners would otherwise not have any sort of locking security on their devices at all. Yes a fingerprint unlock is hackable, but it's a lot less hackable than your phone being open from the get go.
I think Apple are pretty aware of the limitations - they don't accept TouchID on first login after a restart, for the first purchase after a restart, if it's been 48 hours since an unlock or for resets/major config changes. For that you either need the PIN or, if you've opted for more security, the password.
Overall it feels that Apple's take is for day to day login it's better than a four digit PIN and it's better than no PIN.
>they don't accept TouchID on first login after a restart
That's because the hash of the print is stored on an encrypted volume of some kind, which requires your regular password to decrypt after a cold boot. Once the hash is in memory, the fingerprint can be used instead.
I'm not sure I'm following what you're saying a 100%, but based on this [1] i don't think the fingerprint hash is ever in memory. The TouchID camera sends the fingerprint hash directly to the secure enclave, where it is compared to the one saved there, and then the secure enclave sends a yes or no to memory, at least that's my interpretation
Is it because of that, or is it implemented that way because they wanted to ensure that TouchID couldn't be accepted after a fresh restart? I think you may have the causality backwards, since they could have easily stored things in such a way that your fingerprint worked after a fresh reboot if they wanted to.
Exactly. Touch ID (hopefully!) isn't designed to protect against a sophisticated adversary with time for preparations; it only has to hold out as long as it takes the device owner to realize that their gadget has gone missing. In the case of Apple Pay, they can then immediately disable the payment functionality.
Of course, this doesn't help against a sophisticated attacker who is interested in the data on a device; in that case, a secure passphrase would be preferable.
Unfortunately, it seems like iOS doesn't allow using different authentication methods for payments and for device unlocking; it would be really nice to be able to use Touch ID for the former, and a passphrase (or even a passphrase AND a fingerprint!) for the latter.
I used to be employed by a bank that gave me a such a system with TPM and secure BIOS with fingerprint reader.It was a dell one if i remember and used to take quite a lot of time with even simple things like booting.It was a specific project!
