A new patent filing describes using the cloud to transfer your Touch ID fingerprint data to other devices. Would such a system be safe and secure?
Apple has envisioned a technology that would sync your Touch ID data with other mobile devices, as well as point-of-sale systems, via iCloud.
Published on Thursday by the US Patent and Trademark Office, a patent filing called "Finger biometric sensor data synchronization via a cloud computing device and related methods" illustrates a way to record your fingerprints on one device via Apple's Touch ID sensor and then upload them to the cloud to sync them with other devices. Introduced in 2013, the Touch ID sensor is available on the iPhone 5S and the latest iPhones and iPads.
The sensor requires your fingerprint to access the device and to make purchases using the Apple Pay payments system. Setting up Touch ID is a matter of registering one or more fingerprints on your device.
Why would Apple propose a cloud-based system for this process? In its patent filing, the company suggests that Touch ID enrollment may be "cumbersome for users in some instances, such as when multiple fingerprints, users and/or devices are used." For example, my wife and I had to register our fingerprints not only on our own iPhones and iPads, but on each other's iPhones and iPads. That process was cumbersome. Cloud-based syncronization would eliminate the need to register all your fingerprints on every device you use.
But here's the problem: With the current technology, your fingerprints are stored solely on your iOS device. As Apple explains on its Touch ID security page, "iOS and other apps never access your fingerprint data, it's never stored on Apple servers, and it's never backed up to iCloud or anywhere else."
So, how would this proposed syncing technology safeguard your Touch ID data?
As described in the filing, you would have to validate your Apple ID account before registering your fingerprints, just as you do by entering your pass code. Your fingerprint data would then be encrypted and sent to iCloud. To use your fingerprints on a second device, you would have to verify them from a "to be matched" set of fingerprints on that second device. Your fingerprints on both devices would have to match up with the ones stored on iCloud.
Taking it a step further, the second device envisioned in this scenario could be an NFC-enabled point-of-sale system, one that you would use to buy items via Apple Pay. The POS would have its fingerprint sensor that you would tap to validate the "to be matched" set of fingerprints.
Further, the technology could use NFC or bluetooth to sync your fingerprint data as a more secure alternative to iCloud. However, hat would be practical only for syncing two devices in close proximity to each other.
Such a system would certainly ease the process of setting up multiple fingerprints on multiple devices. But one of the security benefits of the current Touch ID is that Apple does not store your fingerprints online. Apple would have to prove that the system would be secure before users would consider storing their encrypted fingerprints in the cloud. An Apple spokesperson said that the company does not comment on patent filings.