Interesting new document in the May update to Apple’s Platform Security guide: “Secure Intent and Connections to the Secure Enclave”. (Spotted by Glenn Fleishman.) It’s short, so I’m quoting it in its entirety:
Secure intent provides a way to confirm a user’s intent without any interaction with the operating system or Application Processor. The connection is a physical link — from a physical button to the Secure Enclave — that’s available in the following:
With this link, users can confirm their intent to complete an operation in a way designed such that even software running with root privileges or in the kernel can’t spoof.
This feature is used to confirm user intent during Apple Pay transactions and when finalizing pairing Magic Keyboard with Touch ID to a Mac with Apple silicon. A double-press on the appropriate button when prompted by the user interface signals confirmation of user intent. For more information, see Securing purchases with Apple Pay. A similar mechanism — based on the Secure Enclave and T2 firmware — is supported on MacBook models with the Apple T2 Security Chip and no Touch Bar.
because some of the devices on this list don’t require double-pressing a button. The double-press rule is only for Face ID devices. Touch ID devices on this list only require a fingerprint scan — that includes MacBooks, M1 Macs with the new Magic Keyboard, and older iPad Pros.