Apple’s Touch ID privacy flaw just got worse

When Apple launched its Touch ID fingerprint sensor, it had a troublesome flaw. Now that the company is allowing the sensor to be used by outside developers, that problem has potentially metastasized.

Touch ID will recognize up to five fingerprints. Those could be your own or those of your friends or family members or some combination.

When Apple launched Touch ID with the iPhone 5s last year, it only could do two things: unlock the phone and authenticate purchases in Apple’s iTunes and App stores in place of a password. The problem was that if you turned on both features, any fingerprint recognized by Touch ID could be used to do both things.

Unfortunately, if you are a parent with children or someone who wants to lend their friend their phone, you might want them to be able to do the former and not the latter. You might want the phone to allow anyone with a recognized fingerprint to be able to unlock it. But you might not want anyone with a recognized fingerprint to be able to buy things in Apple’s stores; you might want to reserve that right to yourself.

But when it created Touch ID, Apple didn’t create any kind of user profiles tied to it or give users more precise control over what access to give particular fingerprints. So, if you wanted to use Touch ID to ease iTunes store purchases, you either had to make sure only your fingerprints were recognized or live with the possibility that your kid might make purchases with just her fingerprint.

And now that flaw has become even more problematic, thanks to iOS 8.

The new update to Apple’s mobile operating system opens up Touch ID for use in other apps. Already, you can use Touch ID to log into your ETrade account, make purchases on Amazon, check your credit card statement from Discover and secure your collection of passwords for Web sites via the 1Password app.

But Touch ID still works the same, meaning that once you turn it on for a particular app, any recognized fingerprint can be used to gain access to the information stored within it. So, now, instead of just worrying about your kid buying apps or songs from iTunes, you may have to worry about them buying stocks on your behalf, ordering physical products or accessing other sensitive information. The only options Apple gives you to protect yourself from such scenarios are to delete any recognized fingerprints other than your own (or not record them in the first place) or not allow Touch ID to be used at all with those other apps.

Some apps do provide some measure of protection from unintended access via Touch ID. If you haven’t logged in for a while, they will require you to type your password rather than just using Touch ID to log in. Apple has put that protection in place on its App and iTunes stores and 1Password seems to have included it also. But it’s not an ideal solution; if you have logged into those apps recently, any finger recognized by Touch ID will gain access to them also.

This problem may get even worse soon. Phones are personal devices and aren’t often shared with other people.

But Apple is widely expected to add Touch ID sensors to its next generation of iPad tablets, which are likely to be unveiled next month. Tablets tend to be much more widely shared among family members and used by multiple friends and work colleagues. If Touch ID works the same on the iPads as it does on the iPhone 5s now — allowing anyone with a recognized fingerprint to gain access to any Touch ID-enabled app without any ability to set profiles or limit access — lots more private information could be at risk.

As I mentioned in my column today, I’m happy to see Apple open up Touch ID to outside apps. But the company needs to give users a lot more control over the technology.

Photo of Apple’s iPhone 5s courtesy of Apple.


Tags: , , , , , , , , ,


Share this Post

  • MarkS2002

    Well, at least this flaw won’t result in thieves cutting off your thumb, which was one of the scare stories from the 5s. Lock your phone up when you are not using it. And search your kids often.

    • Jedi

      Touch ID works flawlessly as intended. The iPhone is designed to be a personal device. If you want to make a personal demand that it be something different than intended and loudly proclaim that to be a flaw, then call it journalism… Meh.

    • Bob Faulkner

      Wow! I never even imagined such a scenario. For me, I don’t have this problem and I suspect most people do not.

      I don’t think this can be called a flaw because to me a flaw is more like a bug – something that does not work properly. I think Touch ID was never intended to be shared among multiple people.

    • Jonathan Mackenzie

      Yes, this is a stretch. Simply make sure that Touch ID is set up only for users who can make purchases (e.g. Mom and Dad) all others (the kids) get the pass code. Or simply tell your kids not to make purchases. When I was little I could have taken money out of my mom’s wallet without a pass code but I didn’t. Why assume today’s children are any less responsible?

      On the roger hand, there may be reasons to have your child carrying a phone that is enabled for purchases to your credit card. Lots of parents send their kids off to school with a credit card. This would be the same thing only more secure.

      I don’t see the horrible problem this author is trying to dredge up.

      • Jonathan Mackenzie

        Spell check seems to think the roger hand is a thing. I meant of course the “other” hand.

  • Jimmy Bosse

    I’m not sure you understand the definition of the word flaw. The feature does not behave as you would like but I would argue that the flaw is in giving anyone fingerprint access to you phone.

    It’s like complaining that my front door lock is flawed because anyone I give a key to can open my dresser drawer.

    But flaw does generate more click-thrus

    • Your analogy is imprecise.

      Touch ID works like a key that not only opens your front door, but also the locks on your safe, your garage, your gun cabinet and your car. You might want to give someone (a petsitter, say) your front door key, but you likely don’t want them to have access to those other areas.

      The same is true with your phone.

      • Sam

        Your counter is even more imprecise. In your example, you’re essentially saying that touch ID is like a house key. Well, if that house were meant for usage by one person, then it would be accurate. Now you could have said that Touch ID is like a car key, so giving that to someone also gives them access to a locked glove compartment. But I suppose you think that is a major flaw too.

        PS, it’s not that companies haven’t addressed the things you say, it’s just that I don’t think anyone listens to you.

      • Brian Latimer

        Fine – then don’t enable the ability for TouchID to authenticate for purchases. This setting exists for exactly this reason.

        This entire article is based on flawed logic, and invalid expectations. Characterizing this behavior as a “serious flaw”, merely to obtain more page hits, shows a serious lack of journalistic integrity.

        You need to issue a retraction, Troy.

      • Michael

        This is more like getting a second credit card for your friend/child/spouse and then being upset when they use it to purchase things you didn’t think they would.

        You gave 1Password as an example of a Touch ID app that opens up private information via Touch ID. Yet 1Password is opt-in to Touch ID. Name one app that enables Touch ID by default.

        As far as this being a “Privacy Flaw,” how can you expect to have any privacy from someone for whom you’ve enabled full access to your device??? In that situation you expect privacy? How??

        You’re welcome for the page view, you certainly didn’t earn it.

      • And this is why you give them the pass code to your phone and not enroll them with Touch ID… Just because you can enroll more than one person doesn’t mean that it was the primary goal of the touch ID. It is the multiplier system that is flawed (because it does not actually exist) and not the touch ID.

        I can hammer in nails with my phone, but I wouldn’t write an article about how my phone broke when I did it….

  • John C.

    Maybe you should rely on yourself to control your children and not their fingerprint or Apple. Come on….

  • Brian

    You, sir, are an idiot. This so-called “flaw” of epic proportions has one of the easiest fixes if you just think about it for one second. MAKE ANYBODY THAT YOU DON’T WANT MAKING PURCHASES USE THE PASSCODE INSTEAD OF THE TOUCH ID!!! Holy cow!!! Mind blown, right??? How do people like you get jobs as a “journalist”. Go write about women’s clothes or something you actually know about. This Chicken Little journalism is tiresome.

    • Yup. That’s certainly an answer to the problem.

      However, Apple doesn’t make clear the implications of having Touch ID recognize other people’s fingerprints — and how that has just turned into a much bigger problem.

      When the iPhone 5s was released, all Touch ID did was unlock the phone and authorize purchases from Apple’s digital stores. Under that scenario, a parent might have felt perfectly comfortable setting up Touch ID to recognize her kid’s fingerprint, so the kid could play games or access YouTube. If she was worried about her kids making unapproved purchases, she could turn off that access.

      But now, Touch ID does a lot more — and parents may not realize that in giving other apps access to Touch ID, they are also granting access to those apps to anyone whose fingerprint is still recognized on their phones.

      They may have been comfortable with allowing their kid to unlock their phone with their fingerprint, when that’s all they could do with it. I’m doubting they’re going to be comfortable with allowing that same fingerprint to be used to make a purchase on Amazon or unlock their bank account.

      • QA Nerd


        Don’t ever go in to QA. This isn’t a bug. It’s not a flaw. It isn’t even a feature problem.

        You know, there’s a reason that iPads don’t have touchID, right? It’s because they’re usually used – even chiefly so – by more than one person.

        Phones are, by definition, personal devices with some multi-user applications. Authentication is not a multi-use application. I use TouchID to catalog more than one of MY fingers. I also understand the onus is on me as a user and owner of a device not to give my kids my iCloud password, or at least to use the multiple OTHER safeguards that exist against kids using my registered credit card for purchases, etc.

        Good lord – you’re as bad as Magid. If it doesn’t work like what you’re used to, you seemingly refuse to understand it.

        • You obviously don’t have kids.

          Regardless of what Apple or other manufacturers intended, the iPhone in particular and smartphones in general have long been de-facto multi-user devices, because parents shared them with their kids. (I would argue that it’s also not uncommon for married people to share them from time-to-time with their spouses.) Recognizing that fact, Microsoft two years ago built a feature called “Kids Corner” into Windows Phone 8, allowing parents to create a “kids safe” area in their phones that would provide access to some features but not all.

          Again, regardless of what Apple intended, there’s nothing in Touch ID that limits a user to only having it recognize the fingers of one person nor are there any warnings from Apple about having it recognize more than one person’s fingers. In fact, when Apple demonstrated Touch ID at its iPhone 5s event last year, one of the things its representatives repeatedly demonstrated was the sensor’s ability to recognize fingerprints from multiple people, as if that were a big advantage of the sensor.

          An iPhone 5s owner may have felt very comfortable allowing their kid to use Touch ID when it debuted last year, because it was a convenience and a novelty — and its use was limited. They may not realize that having granted access to Touch ID then just to unlock a phone may now grant their kid access to their bank account or to make purchase from Amazon.

          Again, what’s effectively happened is that Apple has taken a lock that only guarded access to one or two things and is allowing it to be used to guard a great many things — without warning users about the implications of that change or providing the ability to customize who has access to which locks. Only having to manage one key is a great convenience over having to have a different key for every lock. But it’s also very dangerous, because anyone who has access to that key can get wide access.

          • Taylor

            I have kids and here is how you solve your problem. Don’t give your phone to your kids! Problem solved. It’s not a flaw. Your melodramatic “reporting” causes a stir for no reason. Guess what my kids do instead of playing with my phone, go outside, play, enjoy other things than playing with apps on my phone. Problem solved.

    • Jay

      This is journalism these days. anything to get you to click is “news.”

  • Henry 3 Dogg

    Click farming.

    This has nothing to do with TouchID

    This is about single user devices.

    You give someone your login credentials and they’ve got them and can use them for whatever powers that login possesses.

    How is that a flaw in TouchID?

    • It’s a problem with the way Touch ID is implemented. Touch ID assumes that every recognized fingerprint ought to be given the same level of access to the device and to Touch ID-enabled apps.

      But if you’ve configured Touch ID to recognize fingerprints from more than one person, that’s almost certainly not an accurate assumption. You likely want to grant different levels of access to different distinct users.

      • Henry 3 Dogg

        No. Its a problem of giving a user access to your account.

        Exactly the same problem would exist if you gave the user your passcode.

        The user can then access all of your email accounts. Use them to steal your identity from your bank and everyone else. Change your address. Have new cards issued. The lot.

        You’ve simply invented a misuse of a device which in principle doesn’t work. And then when you identify that it doesn’t work, rather than junking the idea, you randomly decided to blame it on TouchID.

        It’s only sensible to do what you’re asking to do on a device that supports multiple user logins.

      • QA Nerd

        An iPhone is not a computer. People keep bringing up the obvious problem in your reasoning – the iPhone is not meant to be shared with other users (and TouchID can register several fingerprints chiefly because most people have more than one finger, duh).

        I have yet to see Troy respond to the fact that the iPhone is a single user device – applying the iPad or desktop computer use case to this device doesn’t make much sense. Troy’s arguing that giving your root password to every user is a terrible idea – and that’s true – but this isn’t a multi-user device.

  • SB

    Well, your click bait worked… this time. “Flaw?” Please. You could have just made your valid point about user profiles (particularly for tablets) without resorting to such language.

    I guess I will have to avoid the Silicon Beat next time.

  • Peter Lee

    Just give friends or kids the code number to unlock your phone instead. Problem solved.

    • Good tip.

      However, it’s quite possible that there will be password-protected apps that you might want your kids or friends to be able to access. It might be useful or expedient for them to be able to use their fingerprint instead of typing in a password for those services.

      • SL

        Then this is not a flaw, this is a lack of functionality and flexibility.

        After reading all of these comments and all of your replies Troy, you need to understand that the main concern of everyone is that you miss use words, primarily the word “flaw”.

        Save yourself the trouble and admit your fault in using this word.

        I understand your point that you might want to allow other people to use your phone and that sometimes the TouchID is just simpler to set up then having them remember your passcode and possibly 1 or 2 passwords for certain apps in your phone. But this does not mean that the current TouchID is flawed, it just means it is currently limited in functionality.

  • Mildren

    I believe you are confusing a “flaw” with a feature. The flaw would be with a PERSON that decides to add other people’s fingerprints to their Touch ID list. It would be the same “flaw” as a person that shares their password with someone. The issue lies with the consumer not the company.

    • The flaw would be with the person if that person used the same passcode everywhere.

      The flaw is with the technology if it does effectively the same thing.

  • Gaza

    The article makes it sound like the Touch-Id is hard coded into the phone and can’t be changed. Talk about blowing things out of proportion.

    It’s called software update 8.01 or whatever version they want to add the level of user access each fingerprint has.

    • The article is clear that this is problem is related to how Apple has implemented Touch ID, not the sensor itself.

      This problem has been known since Apple released the iPhone 5s. They didn’t fix it in any version of iOS 7 and it remains a problem — an even bigger one — in iOS 8.

      So, yes, maybe they’ll fix it someday. They haven’t yet.

      • Henry 3 Dogg

        They didn’t fix it because it isn’t a problem

        You are simply designing something else. And then calling it a flaw that it isn’t what Apple designed. Apple designed a single user, personal device. Not a shared device.

        Now for situations with children they can have their own devices with their own fingerprints, or pass codes and can still spend on dads credit card as members of a family account.

        But when they do so, dad’s iPhone asks dads permission before accepting the transaction.

        That is Apple’s solution. It’s different from your solution.

        It isn’t a bug of a flaw that Apple thought differently.

        And bluntly, had Apple implemented your solution, I doubt that any user could use it securely.

        Whereas Apple’s solution seems well thought through.

        But what do I know. Ive only been designing software for 40 years. Clearly journalists know better.

        But surely, even a journalist should begin to wonder when they read down the list of responses and find that every responder is saying the same thing.

        That this is a personal device.

  • Brian

    This is not a flaw. Up to this point, Apple has explicitly intended iOS to be single user. They have a multiple user OS, this is not it. There are a host of settings and access to private or proprietary data on my iOS device that I would not want my kids to have access to. Work email? Client information? The company VPN? Do you really “lend your friend your phone?” Your smartphone with all your documents and email accessible? Does your employer know you lend out your phone?

    To use an analogy, if you give your 13 year old child the key to your car so they can listen to the radio while you are getting milk and then they drive, do you blame General Motors?

    The OS would not solve this problem by having preferences for what privileges are available for each and every app. It would solve this by having multiple user accounts. Apple so far has chosen not to, based on some combination of memory/performance degradation and sales considerations.

    • I’ve long proposed the notion that iOS ought to support mulitple user accounts — or at least to be able to create on an iPhones and iPads kid-safe areas that don’t have access to work email, etc.

      Your analogy is inexact. No, I wouldn’t blame GM if my kid chose to use my key to drive my car. I would consider it a flaw if that same key opened my safe deposit box or my personal office.

  • Scott

    What a ridiculous article.

    Ever heard of personal responsibility? The whole point of TouchID is so that YOU can unlock the device. Not your kids, wife, dog, et al.

    Want someone else to have access to your device, but no ability to buy something, give them your 4-digit passcode. Problem solved.

    • Yup, that’s one way to solve the problem — assuming you don’t use the same passcode for other services.

      Another, more sophisticated way would be if Apple allowed users to designate what fingerprints were allowed to open access to particular apps and services.

  • Rob

    What kind of moron registers their kids fingerprint on their iPhone? We don’t give free reign to our kids to open devices or computers. If they need access we open and give it to them.
    What happens when your kid gets hold of your car keys?

    • I’m guessing that lots of people with iPhone 5s devices and kids have registered their kids fingerprints. It’s an easy way for them to unlock the device to get to things they use — games, the Web, Wikipedia, etc.

      Giving out a passcode is not the same as handing over the keys to a car — or even to a house. Just because I give my car key to my son doesn’t mean he can use it to open my bank account. And just because I give a petsitter my house key doesn’t mean she can use it to open my garage or my safe.

      • Rob

        Yes, your car keys may not open your bank account but they may open the glove compartment.

        However your whole argument is flawed. Iphone is meant to be a personal device. If someone needs access to it enter the passcode and give it to them.

        I am yet to meet a parent that has registered their kids fingerprints on their phone or given them passcode.

        However, if you do want to go with multiuser type setup several people have proposed giving kids passcode but not touchid. It’s akin to having a house master key that opens a vault and a separate key that only opens the front door.
        Several people have proposed that here. I’m not sure why it’s difficult to understand.

        Hardly a flaw!

      • QA Nerd

        “I’m guessing that lots of people with iPhone 5s devices and kids have registered their kids fingerprints.”

        Nice – admitting this entire article is based on your guess of something you have no hard data or use cases for.

        Have you ever actually worked in technology? Designed and shipped a product? No wonder so many people are taking offense at your use of the word “flaw”. You’re out of your depth – and even worse, so is your editor.

  • travel bug

    Now this is just silly! Why would you want to lend such a personal device to someone you don’t trust? Don’t you have personal emails, photos, documents, on your phone? Are you sure you are comfortable sharing? Just keep your phone to yourself and quite whining!

    • You obviously don’t have kids.

      • Ben Grey

        I normally don’t get all up in arms about internet debates but whats up with the fire breathing readership here?

        Yes I agree he obviously doesn’t have kids or even been about people with kids. 🙂

      • Kime2009

        So? You are the ONLY one has kid here?

        Don’t you dare to insult other PARENT!

  • Mike

    My biggest gripe is the title this is not a “privacy flaw” of apple, it is a user flaw. This is you willing to register other fingerprints on your phone. If you are concerned with privacy or don’t trust your kids/others then don’t register other fingerprints. It is not a flaw of TouchID

    I am sure this is #2,887 on ios priority list….

    • Yup. Good tip.

      However, Apple does not make clear to users that if they do enable Touch ID for their kids or friends, they are potentially granting them the power not just to unlock the device but to make purchases, access their bank accounts, etc.

      • Rob

        Have you actually read articles on their support site. Are their no help articles about this.

        Do we need to spell this out to users? Please hold cup carefully; hot coffee inside!
        Honestly your article is a whine and not a flaw. It would be a flaw if there was no fix.
        I do have kids, and they don’t unlock idevices.
        If something as simple as giving them passcode can solve your “situation” it’s not a flaw.

    • Russell

      And #1 on that list is to stop supporting older devices and get more people on the upgrade treadmill.

  • Boat guy

    Well talk about nothing about nothing. I am amazed at the lengths some will go to try and dig up non issues. first this sounds like a parenting issue. Second I am sure that Apple is smart enough to get this and will have a great way to fix this great hole in their OS…. give me a break!!

    • Apple has known about this problem since it introduced the Touch ID sensor with the iPhone 5s last year — and has nothing to address it.

      • Rob

        So you are saying that apple has acknowledged this issue and not done anything?
        I’d love to see a link or quote.
        If there’s none then it’s your wishful thinking.
        No one here thinks it’s an issue let alone a flaw.

        • Jonathan Mackenzie

          The only thing sillier than this article is that the author keeps trying to defend it.

      • Bob Faulkner

        Touch ID is intended to register one set of fingerprints. You know, a thumb, a foreginger, etc. It was never intended to register multiple users. There is no flaw.

        • Ben Grey

          So as an admitted apple fan boy, I don’t get the hate on this author. I don’t know his other work but I can tell you I completely agree with his assessment. I don’t know if I need multiple users from my iPhone iPad but I do want to protect my finger print registration with another level of security.

          In fact I’m here because I was looking for a solution to my concern and ran across this article.

          If he’s a typical Apple basher, I won’t defend that but once again on this issues. We see eye to eye.

  • Hiram

    This is only a problem for those who want to share their phone with someone they don’t trust. ??? If I were to let a child use my phone, it wouldn’t be without supervision anyway. You could use your old phone for your kids, unlocked and don’t give them your Apple ID. Phones are not multi-user devices except for the terminally cheap. If you’re that strapped, you shouldn’t have a smart phone, you should get a cheap one and spend some money on your children.

  • Boat Guy

    As I said, non issue. Why don’t you think about the responses you have received so far not this. I am sure even you will see that nobody agrees with you… stop being defensive… you goofed on this. Give it up.

  • Dave

    The only ‘flaw’ is don’t hand your phone to someone you don’t trust.

    Stop being cheap and buy your kid his own smartphone or tablet. You can get a POS phone/tablet for under $99 now.

    The iPhone/iPad were never meant to be used as a multi-user device. Its simplicity is one of its main selling points. This is like saying a Toyota Camry has a flaw because you can’t fit 8 people in it. It wasn’t meant for that purpose. Same thing with iPhones. They are personal devices.

  • ABC

    This flaw is another example of why iOS is a toy OS at best. Not meant for anything as industrial grade as user account control.

    Pretty funny to see the fan club line up to say “no one would ever loan their phone to someone they “don’t trust.” As Troy says, they don’t have children.

  • GV

    Troy, don’t you know better than to criticize any Apple product, much less the iconic iPhone?

    I imagine that you get it now after reading the responses to your article…

    FWIW, I agree with you. Fixing it should be on Apple’s list for the first iOS 8 update.

  • Jim

    The reason Apple hasn’t addressed it is because it is a no brainer NON issue

    • Russell

      No brainer? People used to feel the same way about Apple’s in-app purchase lawsuit.
      Please remind us who lost that lawsuit.

  • Miss

    I don’t think it should of been called a flaw.
    What you are saying is that you want apple to create levels of authorization for each fingerprint.
    This should be brought up with apple, so maybe this is how he is trying to get apples attention.
    The new iphone 6 will have apple wallet to make purchases, like Isis or now called soft card through NFC. So levels of authorization would be good. Especially for iPad. They do tend to be family device.
    I personally know that children depending on age have there own iphone, so I don’t think it’s as much of a problem as it’s being made out to be.
    I think we will see that it would be useful with the apple wallet.
    But as many have said if you don’t want them to have access than don’t give it to them. It’s like your credit card, if you don’t trust them to make only the purchase you intended them to use it for than they shouldn’t be given access to it,

  • Mark

    I am not sure why this is causing so much defence of Apple’s OS regarding what clearly is a ‘flaw’ in this ‘feature’.

    In spite of all the comments regarding not giving your phone to somebody, the flaw IMO then, is in the design of allowing multiple fingerprints in the first place, if nothing else.

    You cannot call something a ‘feature’ and not a ‘flaw’ just because you have thought of an unoriginal and pointless work-around as simple as “don’t give your phone to anybody”. As this defeats the object of having the ‘feature’ of a multiple user interface for the device, otherwise why allow multiple access in the first place?

    To be fair to the author, he is simply highlighting the FACT, that there is no security filtering in the OS, to distinguish between an Administrator, or managed user of your device when accessed with touch ID.

    What is wrong with acknowledging that simple fact, other than the zealous and unrequited love of a billion dollar corporation?

  • The landscape of both smartphone usage and consumer identity fraud is changing dramatically, and Troy raises some increasingly-relevant points–regardless of what words we might prefer to see used within the article.

    I’m neither concerned about semantics (“flaw”, “unintended consequence” or “no threat at all”?) The point is to assess potential risk and appropriate remedies first, and then to use the conclusion to potentially question the motives. As a person who uses nationally-representative primary research to study both payments and fraud (historical, present and projected-future), I’m just trying to understand if there’s something to be learned–and I believe there is.

    As smartphones increasingly become the device of choice for managing financial accounts and other sensitive (individual) identity-based records, a significant safety problem truly could occur. The problem is that individuals–and especially the many with reduced technical prowess who often share their mobile devices with others–could unwittingly hand over access to sensitive personal accounts, resulting in unintended fraud. Skipping past the part about who might be to blame, it’s worth assessing the value of adding new design elements that incorporate increased permissions-settings capabilities. Everyday behaviors that inadvertently determine who has access to your finances through your phone are changing radically, and there’s no reason why we shouldn’t consider the risk that the author discusses.

    Why not give primary account-holders increased capabilities to cordon off access to particularly sensitive records and accounts, rather than primarily rely on a single authentication mechanism?Smartphone access to payment, financial and identity records is creating profound change, and there’s no reason that we shouldn’t shift more safety and control to primary identity-holders to help everyone–from Apple to banks to merchants and individuals as well–benefit from this.

    If anyone can add simplicity, elegance and effectiveness to a traditionally overly-complicated and costly problem such as this Apple can.

  • Ben Grey


    Maybe I’m on the only that sees it the way the author does. I just come from the iPhone 4s to the 6 and was looking forward to Touch ID but the way it operates does seem very very short sighted on apples part. I was hoping my kids wouldn’t figure it out but after my 13 daughter played with the phone for about 5 minutes she quickly realized all she had to do is know the password to unlock my phone then register her own fingers.

    Why not have the option for a second 4 digit PIN for Touch ID? I think that would solve the problem I fear most.

    • Excellent point, Ben, and one I hadn’t considered until you mentioned it.

      You’re right. Simply giving your kid (or spouse or friend or whomever) the passcode to your phone, instead of giving them Touch ID access doesn’t solve the problem. Because that same PIN can be used by that person to create a recognized fingerprint in Touch ID — which then gives them access to everything in your phone protected by the fingerprint sensor.

      And unless a user regularly checked the Touch ID settings, they might never know that another fingerprint had been added, because iOS doesn’t give any kind of notification that a new fingerprint has been added to Touch ID outside of the fingerprint sensor’s settings area.

  • Brad C

    I’ve turned off TouchID (for login) for one reason, and one reason only. There is a significant (500 – 1000 ms delay) to sign in with it. I’m a heavy iPhone user, in my phone all day long. Apple allows one to save one’s passcode so as long as you’ve used your phone in the last hour, you don’t have to re-enter it again.

    If they’d allow users this capability with TouchID (to save or ‘cache’ one’s TouchID sign-in)–even with a big warning that this isn’t recommended and isn’t safe, caution advised!–I’d turn it back on. Big mistake on their part not to give advanced or heavy users this convenience.

    Apple, please give users more control over TouchID.

  • Flawless

    So it is a flaw that my kid’s fingerprint was enrolled and they accidentally dialled 911 or an 800 number or any international number . It is also a flaw that they accidentally delete any apps. Another flaw that they were able to send iMessage or SMS to anyone in my contacts. What a really flawed device then huh? Or really just a “flawed” logic? Even if it is a smart phone, you don’t expect it to handle complicated user permissions. Well good luck in finding the ever perfect super phone, doing everything that man can think of so that it cannot be considered as having a “flaw”

  • Fernando

    Just another post with a catchy title to get more clicks.

    You cant call a flaw to a device which works as its designed for. If you want to share a device, then you are not using the device as it was designed for.

  • Ben

    I’m not sure if the author is still following this article’s comments, but I’d like to add my two cents. There is no flaw nor bug present in Touch ID (as it relates to this article’s argument) but that doesn’t mean the author doesn’t have a point. The problem is that the author argues Apple has a flawed product, when the truth is he is talking about adding more features. The author is right, that would be great to assign permissions to individual finger prints. That sounds like a great feature, but the lack of that feature doesn’t mean a flaw is present, it just means the feature is absent. Perhaps Apple will add this feature in a future update or maybe it would require new hardware and multiple “secure enclaves”, in which case the feature couldn’t be added until the hardware was updated with the release of new iDevices. One commenter made an excellent point that truly does represent a security issue: the same passcode that unlocks the device also allows manipulation of the Touch ID settings, including adding or removing fingerprints. That is truly a security concern, but one easily remedied by allowing the user to add an alternate password that only served to access the Touch ID settings, and nothing more. There, now all concerns have been addressed. iPhones and iPads are multiuser devices, that is totally true, but while I hand out my iPhone right and left to friends, collegues, and children, I don’t give out my passcode, and I certainly would never allow other users to added their fingerprint to my device. Truly the only actual “flaw” here is allowing the same passcode that unlocks the device to also change the Touch ID settings. A better solution would be to either have a unique Touch ID settings password, or to use the iCloud password instead of the device passcode to access those settings.

  • Thu Lan

    i just got the iPh6+ for BD
    Touch ID but when inserted in protective case it kept giving “Try Again” message
    and then You Need Passcode to enable Touch ID; did that, same thing. Took it out of case, it works fine. i wouldn’t use the phone by itself (reason why i waited 4 days until received protective case before activated my new phone.
    There is a plastic cover on the back of the phone; just wondering if this causes problem ?
    Thanks for any help learning new tricks for an old dog…

  • Vasilis

    Any updates/ reflections now that Ipad air 2 is out?

  • Prez Cannady

    If you’re not locking down sensitive operations–payments in particular–in your app by prompting for authentication each and every time, then you’re doing it wrong. Consider how the App Store and iTunes work.

  • Jeff Brummer

    They definitely need more ability to “lock out” particular apps based off who “touches”. They need admin capability MDM.