Apple’s Mobile Touch ID System: Convenience Or A Security Risk? / by Gavin Lau

To people who are interested in staying on top of developments in the tech world, it probably feels like incredible technology improvements are being unveiled by the day. Many of the tech enhancements that eventually become commonplace get engineered in an effort to create a better UX or make it safer for people and sometimes both. Apple’s Touch ID mobile identification system is a great example of a possibility that makes e-commerce payments more efficient, but some people have concerns about potential security flaws. 

Designed by Apple, the Touch ID system is compatible with the iPad Pro, iPad Air 2, the iPad Mini 3 and 4 and all iPhones that are 5s or later.


How Does the Touch ID System Work?

The Touch ID System responds to an authorized device user’s fingerprint. After the person’s fingerprint is verified as being genuine, the device unlocks and the person will have the chance to make purchases of apps, books and music just by tapping the device’s home button after being prompted. People who have Touch ID enabled on the iPhone 6 or 6s can also use the technology to buy things through apps that rely on Apple Pay. 

Former Apple CEO Steve Jobs reportedly hated the traditional system of payment where people had to swipe their credit cards and enter PINs to pay for things. The Touch ID technology removes those steps from the payment process and may eventually not even require people to tap buttons to confirm purchases.


How Apple’s Touch ID System Makes Things Easier for Shoppers

Apple was the first company to do roll out the Touch ID system as a potential way for users to pay. Nowadays, there are numerous brands realizing this technology may be the way of the future, and they are getting on board with making it available. Also, it is important to realize Apple was not the first company to introduce a smartphone with this sort of fingerprint verification technology. Because so many people use iOS devices, though, the Touch ID system is probably the first time most have encountered that type of security measure

So, why is the Touch ID system being touted as something that is superb for shoppers? It makes sense why supporters think the technology will make it easier for people to buy what they want without encountering hassles. Indeed, some shoppers get so fed up with the purchase process that they end up deciding they will buy a product “later”, but never actually return to do so. By using their fingerprints for authorization, people can make purchases without passwords, thereby cutting down on the amount of time that passes between picking out a product and paying for it.

In early March of last year, Zappos, the popular online shoe and clothing retailer, upgraded its app to include Touch ID technology. From then on, shoppers could pay for things without having to enter passwords through the app. Vineyard Vines, a Connecticut-based seller of preppy neckties and other apparel, made a similar move just in time for the 2015 holiday shopping season. 

Even QVC, the company well known for encouraging people to buy things after watching them being presented on a dedicated television channel, has adopted the technology. Perhaps the tech upgrade is particularly relevant for that company, even if it may not seem so initially since QVC rose to fame thanks to television screens. However, it claims mobile users make up a rapidly growing segment of overall buyers around the world, and this is just one example of how QVC is trying to streamline things for them.

Other Uses for the Touch ID System

Although the Touch ID system is mostly being examined for use in commerce, there are also some apps and companies that utilize those apps for tasks that require a higher level of security than most. Examples include apps that allow users to scan documents or digitally sign paperwork. 

A bank has also begun using the Touch ID system, but not quite in the same way you have already learned about. It requires users to not only go through fingerprint verification, but also to prove their identities through voice, too.

Specifically, 15 million customers in the United Kingdom who use HSBC Bank have the chance to do away with passwords and security questions in favor of these newer verification methods. According to reports the vocal recognition system checks over 100 things that make a person’s voice his or her own, and it will work even if the user is sick.


Does Touch ID Pose a Security Risk?

As with all new technologies, some people have security concerns about Touch ID and wonder whether there are ways to reduce the threat of supposed shortcomings. The main risks centered around Touch ID are based on the fact that analysts say it is possible to replicate a person’s fingerprint by using a variety of methods, from photographs to Play-Doh.

It is difficult to limit access among multiple authorized users of a device, too. This reality may be problematic if Touch ID-enabled devices are distributed throughout a workplace, but there are not enough for each person to have their own. It may become impossible to track purchases made through the gadget unless company leaders agree on a certain person who is solely responsible for buying things through the device. 

Another suggested workaround is to have multiple users each use a different digit to log into the device since it is possible to save multiple fingerprint images via the Settings section of an Apple device. This solution could work, but it is a less-than-ideal option.

However, there are other ways to minimize the associated security risks, and especially those related to fingerprint transfers. During controlled experiments, hackers were able to trick the Touch ID technology by taking a photograph of a fingerprint that had transferred to a glass surface. However, in those cases, the index finger’s print was always used. 

With that in mind, it is smart to get into the habit of only unlocking your device with a pinky or ring finger. It is less likely prints from those fingers could be swiftly swiped from common glass items like beverage containers and tabletops. 

How does Play-Doh come into play as a possible security shortcoming? Experts say you should not worry about children’s clay eventually becoming a serious threat to your smartphone. That is because although researchers were able to make Touch ID-enabled devices respond to fingerprint impressions captured in Play-Doh, they only worked after the phone’s rightful owner pressed a fingertip into the substance for five minutes to transfer the print. 

Tech experts also recommend setting up a two-stage authentication system where a person has to use his or her fingerprint, plus voice authentication, to gain access and make purchases. It has been suggested if individuals are extremely concerned about keeping themselves and their information secure when using Touch ID technology, they should only depend on fingerprint authentication when it is also accompanied by another type of verification method. Besides the voice recognition software relied upon by HSBC Bank, facial recognition technology has also been put forward as something that might be a smooth and secure complement to Touch ID.


Final Thoughts

All in all, hacking Touch ID is not an easy task. As Marc Rogers puts it, it requires the skills, academic research and the patience of a Crime Scene Technician. Yet this does not mean that the system is not prone to being hacked. Then again, what system is?

With all these things in mind, users and developers should weigh the costs and benefits of using this type of authentication for some e-commerce transactions. They should also stay abreast of emerging security threats that could indicate hackers have become wiser to the ways to infiltrate Touch ID-capable devices.