When Apple launched its Touch ID fingerprint sensor, it had a troublesome flaw. Now that the company is allowing the sensor to be used by outside developers, that problem has potentially metastasized.
Touch ID will recognized up to five fingerprints. Those could be your own or those of your friends or family members or some combination.
When Apple launched Touch ID with the iPhone 5s last year, it only could do two things: unlock the phone and authenticate purchases in Apple’s iTunes and App stores in place of a password. The problem was that if you turned on both features, any fingerprint recognized by Touch ID could be used to both things.
Unfortunately, if you are a parent with children or someone who wants to lend their friend their phone, you might want them to be able to do the former and not the latter. You might want the phone to allow anyone with a recognized fingerprint to be able to unlock it. But you might not want anyone with a recognized fingerprint to be able to buy things in Apple’s stores; you might want to reserve that right to yourself.
But when it created Touch ID, Apple didn’t create any kind of user profiles tied to it or give users more precise control over what access to give particular fingerprints. So, if you wanted to use Touch ID to ease iTunes store purchases, you either had to make sure only your fingerprints were recognized or live with the possibility that your kid might make purchases with just her fingerprint.
And now that flaw has become even more problematic, thanks to iOS 8.
The new update to Apple’s mobile operating system opens up Touch ID for use in other apps. Already, you can use Touch ID to log into your ETrade account, make purchases on Amazon, check your credit card statement from Discover and secure your collection of passwords for Web sites via the 1Password app.
But Touch ID still works the same, meaning that once you turn it on for a particular app, any recognized fingerprint can be used to gain access to the information stored within it. So, now, instead of just worrying about your kid buying apps or songs from iTunes, you may have to worry about them buying stocks on your behalf, ordering physical products or accessing other sensitive information. The only options Apple gives you to protect yourself from such scenarios are to delete any recognized fingerprints other than your own (or not record them in the first place) or not allow Touch ID to be used at all with those other apps.
Some apps do provide some measure of protection from unintended access via Touch ID. If you haven’t logged in for a while, they will require you to type your password rather than just using Touch ID to log in. Apple has put that protection in place on its App and iTunes stores and 1Password seems to have included it also. But it’s not an ideal solution; if you have logged into those apps recently, any finger recognized by Touch ID will gain access to them also.
This problem may get even worse soon. Phones are personal devices and aren’t often shared with other people.
But Apple is widely expected to add Touch ID sensors to its next generation of iPad tablets, which are likely to be unveiled next month. Tablets tend to be much more widely shared among family members and used by multiple friends and work colleagues. If Touch ID works the same on the iPads as it does on the iPhone 5s now — allowing anyone with a recognized fingerprint to gain access to any Touch ID-enabled app without any ability to set profiles or limit access — lots more private information could be at risk.
As I mentioned in my column today, I’m happy to see Apple open up Touch ID to outside apps. But the company needs to give users a lot more control over the technology.
Photo of Apple’s iPhone 5s courtesy of Apple.
