Apple’s new fingerprint scanner: A good idea gone wrong

Apple’s new fingerprint scanner is a good idea. But the company has crippled it so much that it’s little more than a gimmick at best and a security problem at worst.

The fingerprint scanner, dubbed “Touch ID” by Apple, is one of the key new features of the 5S, the company’s new flagship smartphone that Apple unveiled Tuesday. The scanner is built into the device’s home button. Users interact with it by simply placing their finger on the button.

Apple is pitching Touch ID as a way to secure iPhones by replacing passcodes. At the company’s press event Tuesday, marketing chief Phil Schiller noted that about half of the smartphone owners out there don’t use a passcode to secure their devices. Touch ID is supposed to be an easier way to do the same thing — you don’t have to remember a passcode or type one in, you simple touch your finger to the button.

In my brief tests at the Apple event, Touch ID did this task fairly well. It took several minutes to configure for my fingerprint, but afterward the phone I was using recognized it quickly and immediately unlocked the phone.

The problem with Touch ID is that it does little else.

One of the big potential uses of an authentication technology like Touch ID is the ability to personalize a device for individual users. Indeed, Touch ID will recognize up to five individual fingerprints from potentially five different people.

But Apple doesn’t support multi-user personalization in iOS. So, you can’t use Touch ID to create custom log ins for the iPhone 5S. Everyone who logs into the phone using the fingerprint sensor gets the same view — and the same access to the same group of apps and data.

Now, you may ask why that matters. Well, many parents allow their kids to play on their phones. But they may not want them to delete apps, rearrange the home screen or even access particular programs. While Touch ID could potentially help solve that problem — by recognizing a child as a distinct user from his or her parent — it can’t because Apple’s iOS software doesn’t allow owners to lock particular users out of different features.

But that’s not the only shortcoming of Touch ID. The idea of using a fingerprint instead of a passcode likely has wide appeal among a large group of software developers. Imagine using your fingerprint to log into your bank account or even into your Facebook app.

Unfortunately, you won’t be able to do either of those things or anything like them with the iPhone 5S. That’s because Apple isn’t opening up the fingerprint scanner to outside developers.

Touch ID does have one other feature right now besides allowing users to log into their phones. It can be used instead of a password to purchases in Apple’s iTunes and App stores. If you’re like me, and have a long password, there’s a lot of appeal to just using your thumbprint.

But wait, there’s a good chance that you won’t want to turn on the feature. That’s because if you turn it on, it’s accessible for all recognized users of the device. In other words, any fingerprint that can be used to log into the phone can also be used to make purchases in Apple’s stores — on your account.

That’s got to be one of the most ill-conceived features I’ve ever heard Apple come up with. Instead of enhancing security, it makes your iTunes accounts far less secure than they were previously.

My daughter, for example, has no idea what my password is for iTunes. But if she can log on to my phone with just her thumbprint, she can suddenly make purchases on my phone by just tapping her thumb again.

Sure, I can simply turn off the feature or I can avoid training my phone to recognize my daughter’s print. But if I do the former, I can’t take advantage of the feature myself. And if I do the latter, I’m stuck having to touch my thumb to my phone every time my daughter wants to use it.

The reason for the limitation is the same as before: iOS doesn’t support personalization. You can’t create a customized view of your iPhone for different recognized users. If you turn on a feature, it’s turned on for all users.

I pleaded with Apple earlier this year to add support for multiple users into iOS. The feature is already built into Google’s Android and Microsoft’s Windows and Windows Phone operating system. It’s also a key part of OS X, which runs on Apple’s Mac computers.

Apple ignored my suggestion. I think that’s a mistake, but the company obviously had other priorities with iOS 7, the latest version of the the iPhone operating system.

But what they’ve done with Touch ID has made things worse, not better. It’s one thing to not support personalized views for multiple users. It’s another thing to enable those multiple users to have make purchases on on owners’ credit card.

Bad move, Apple.

Photo courtesy of Apple


Tags: , , , , , , , , , , ,


Share this Post

  • Perhaps they’re taking the somewhat cautious (and I think somewhat reasonable) approach of taking things a step at a time. I’m sure they’ve tested it out a lot, but not 100-million-folks a lot, so perhaps they intend to see how it goes and add the many reasonable features you’ve suggested in a later software update.

    (I wouldn’t expect the multi-user personalization, though, since they’ve had all these years to add what for many seems to be a “most basic” feature, but have not. It seems apparent they want you to buy your kid her own device. )-: )

  • rob petry

    Hello do you think i and many others want NSA our fingerprint?
    How many times will this happen robber cutoff finger and steals phone and valuables. Go ahead get that phone and give up your finger!

  • wookie

    There are other problems with using the fingerprint that no one else seems to notice:

    * If the weather is cold, raining, or snowing outside, one may be wearing gloves. But gloves hide fingers, so Touch ID won’t work.

    * People with out fingers or hands (such as those born with birth defects, or accidents, or victims of war / war veterans — won’t be able to use Touch ID either if they have no hands.

    • Not to mention anyone one else that needs to access your device such as emergency workers or your spouse. I can imagine an EMT trying to rub your fire burned finger across your phone just so they can check your ICE message or call a relative. Just false sense of security that makes things more difficult in real world situations.

      • dr

        If you don’ have hands you wouldn’t activate it anyway. It is an alternate method you can us both. As far as an EMT is concerned how would they get to it if you had a regular password and you were incapacitated? Why do people comment without thinking anyway. It is an answer for the most stolen phones in America. It does not have to be used. No you can’t cut a finger off because it needs live tissue. Yes if its cold outside you will have to pull your gloves off. If you have synthetic gloves you still have to pull them off. And if the moon fell through your roof you would be dead.

    • LMAO

      I do believe you are a Wookie….however a real dumb one. I have to pass this on. No hands…how can they use Touch ID. That has to be the funniest thing I’ve heard in a long time. Where are these peoples brains???
      No hands, can you even HOLD a phone or log in without touch id? These people keep me entertained…

  • RS

    Are you saying that if you turn on the TouchID feature, you cannot use a 4 digit code to get into the phone? If so, that is the worst implementation for this.

  • Suabt1977

    Well ! its a scanner not a personalizer. Scanner is hardware were as personalization is software.

    What you’ve been doing till now ? telling you daughter the passcode so she can make itune purchases ? or using without passcode. What you would have done if you used android ?

    iPhone is a personal phone not a computer that you can share with others.

    You dont have to use fingerprint scanner you can still use four-digit PIN password or no-password so you can share with others.

    BTW, APPLE filed a patent for smart Multi user account for iOS. it has a lot of parental control features but still that makes sense only for iPad.

  • James

    I think a company like Apple would have considered those scenarios. Some of the mentioned scenarios are not always statistically significant – and most have a work around. The war veteran scenario applies to other phones as well? (If you have no hands I think accessing touch ID is not you’re biggest problem – and the gloves argument it appears a bit bizarre – I’d recommend removal of the gloves (its a fairly simple process for most humans). I would like to see other companies also get into this space to make bio-security more mainstream.

  • Jay

    First and foremost children shouldn’t be playing with and/or using their parents cell phone. However If the child is old enough to properly use a cell phone then they should have one of their own and it doesn’t take much to unlock your phone for someone (child or friend) to place a call if needed.

  • John Bloch

    Your an idiot! They can’t create multiple users with out the technology first…. Now that they do why don’t you wait and see what they will come out with.. Get a life and don’t let your kids use your phone if you have such a issue. Do what I did and buy them a iPod touch you cheep lazy idiot hahaha

    • chris

      john bloch the pedaphile?

  • Discit

    Your fingerprint is pretty secure this way though. If you’re worried about your fingerprint being abused this “dumb” approach is very secure. There is no app APIs to access it. It doesn’t leave the phone. It doesn’t do anything but compare yes/no, is this fingerprint authorized against the local authorized in the chip for touch access or app authorization.
    Apple could open it up to a few more uses while keeping your fingerprint secure from developers and hackers, but it seems designed around keeping your fingerprint very secure locally and only using it to see if you are authorized to use the phone or purchase apps, and you don’t have to enable it for either. They didn’t take anything away or add new risks if you don’t want to use it, they just didn’t add the multi user personalization you wanted, and iphone has worked great for me without it though. I wouldn’t want another user’s apps taking up all my space or installing code, even on another profile, but that’s just me. I could see how it might come in handy but I don’t need that on my phone.
    For you, I would just keep new apps and purchases restricted by a password, and enable touch device access, then you can let someone use your phone and your point is gone. You don’t have to touch it to let your daughter use it, and she can’t make purchases unless you authorize that yourself, which is how it should be. You don’t have to let them purchase with touch at all, while still letting them access the phone. They’re two completely different settings. They didn’t add any new risks in this regard if you just don’t enable touch purchase. iPhone even requires new free apps to authorize, so you don’t have to worry about malicious apps targeted to children being downloaded with no password. You just set app store to require a password, or maybe restrict age categories, since ones targeted for children are much more restricted and audited by apple too. You can just turn the app store off completely and enable it when you want real quick if you’re super paranoid. There’s many ways around your “problem” of letting your daughter use your phone and touch access without letting her purchase or download apps.

    I understand it does not have some features you want, but to imply it opened up this new security risk on purchasing apps when it’s easy to disable that in restrictions, while still using convenient touch id device access, may be disingenuous and misleading, or possibly just mistaken.

  • Scott

    You’re an idiot. Don’t train the phone to recognize the kid’s print and just give her the 4-digit passcode. Moron.