With Touch ID in the iPhone 5s, Apple wasn’t the first to integrate a fingerprint sensor in a smartphone, but it certainly popularized the feature as other manufacturers race to build similar technology into their next-gen iPhone competitors. HTC is packing in fingerprint sensors in its latest flagship devices and Samsung announced its new Galaxy S5 earlier this week with finger scanning as one of the standout upgrades. The verdict is still out on how Samsung’s tech compares to Touch ID, but it is interesting to see how others are using fingerprint sensors while Apple keeps it closed to developers and offers very limited applications. With Samsung letting app developers access the new S5’s fingerprint scanner for mobile payments and more right out of the gate, should Apple open the fingerprint sensor to devs in iOS 8?
Apple decided that initially Touch ID would be limited to unlocking the device and authorizing App Store and iTunes purchases. Samsung, on the other hand, has just announced an updated SDK that gives developers access to request fingerprint recognition and “Verify whether the fingerprint of the current user matches the fingerprint registered on the device.” That opens up a ton of potential applications for Android app developers and could be a big selling point when consumers compare the iPhone’s fingerprint features to the Galaxy S5. Samsung will be doing payments with the sensor through PayPal as well as device unlocking and a private mode that keeps certain content hidden until activated with the sensor. HTC has a feature that lets users assign each finger to a different app for quickly launching apps with a touch. Apple’s limited Touch ID functionality is quickly starting to look outdated.
Will Apple open the fingerprint sensor to developers in iOS 8? CEO Tim Cook did all but confirm new functionality is on the way when talking about mobile payments during Apple’s earnings call last month:
The mobile payments area in general is one we’ve been intrigued with. It was one of the thoughts behind Touch ID […] it’s a big opportunity …
Even with the possibility for mobile payments using Touch ID, which we’ve discussed in the past, the question remains whether Apple will keep it closed to developers to focus on its own mobile payments system, slowly open up new functionality feature by feature, or simply allow devs the opportunity access the hardware freely for any number of use cases in their apps?
FTC: We use income earning auto affiliate links. More.
Um…No? What kind of question is that?
Can you explain why they shouldn’t? Opening up the fingerprint sensor to devs means we won’t have to type in a passcode every time we won’t to: (1) open up apps that we won’t to protect the data in, such as a banking app; and (2) making purchases via apps such as Amazon could be made incredibly easy and secure instead of having to type in a long password or an incredibly insecure passcode.
Wait why not? It doesn’t mean they would be have access to the fingerprint data, just that they would be able to get a ‘yes’ or ‘no’ back from the API saying if the authentication was successful or not. I don’t see the issue.
He says no because Apple hasn’t come out and said that’s what they are doing yet. As soon as Apple states that it will be a feature, then he will say he thought it was a great idea all along.
PMZanetti is a huge troll and hates on anything non-Apple, but then loves them as soon as Apple takes the ideas of others and uses them (I think it’s a good idea for Apple to do that, by the way, I’m not hating on Apple at all).
If they just get a yes or no from the API I’am all in.
Not sure I would like every app to be able to scan my finger.
Lol @thejuanald
Anyway, the ‘Why’ is a great question…I feel that this data is simply too dangerous to give developers any access to. Just because people state that “Apple would do it without giving devs actual access to Fingerprint data” does not mean that there would not be hiccups in that concept.
For instance, how many Apps have already been caught mishandling data they are granted access to (such as Contact and Location data)? A single instance of such a mistake with fingerprint data could and would be disastrous.
People are becoming far too trust worthy of everything Apple does, and giving them a pass. If Apple does open this up to devs in any fashion..it will be a risky move and one that I personally do not approve of.
@PMZanetti, I highly doubt that the fingerprint data is stored in a format that can be reconstructed into an image of a fingerprint template. I recommend that you do some research before making assumptions. Biometric technology has been in use for well over 30 years now. And it is a complex algorithm that plots a minute graph based on the unique identifiers which is your UNIQUE identity inside a fingerprint. That is converted into a code sequence, example:
d5a8i0a0h1d:g3f5a0l1e0`3`7b0`1i0j:h7`h5o0`9i3cd7k0a=a<a0l8g0b=d7`8l8m1b4a5a4`8o0d3j7c9`9l1c?`7b4l:n0i?a0c5l;j1i8`9c1`<d0i?`;b<l`1d8h6c1`>a1j9a2c5l>o1j6`;o?o?o?g6`8`;`=a0a2a4a4a4a2a1o?o?o?o?g4g7`7`:`;`>a0a3a4a4a2a1a3o?o?o?g4g7`7`;`=`>a0a3a5a5a2a1a2a2o?f>g3`1`8`;`=`>`?a1a4a5a4a3a3a3e=f0f6g2`:`=a0a2a3a3a5a7a9a:a:a;e9e=f2f<`8`=a1a3a5a6a8a9a;a<a<aa2a5a7a8a:a;a=a=a=a<e0e2e6e9`9a1a5a8a:a;a<a=b0b0a?a=d;d;d;d9a<a8a9a;a<a?a?b0b3b2b1b0d3d1d0c:b5a<a;a<a?b1b1b1b5b4b2b0c:c8c6c2b4a?a<a;a<a?b0b1b5b3b1a?c5c3c0b;b0a<a:a8a7a8a;a?b3b1a?a<c0b9b5b2a;a9a5a0`=`;`;`?a7a7a4a1c:b;b1a?a;a8a5`?`:`7`6`8`?a1`?`c2b1a<a:a8a5a0`9`5`3`4`;`=`;`9o?c:b2a;a9a7a5a0`:`6`4`4`8`:`:o?
That is my fingerprint now I challenge you to reconstruct it into a valid and viable copy on another device and every time you place your finger it will read my name. This template cannot be reconstructed, PERIOD. It is a one way communication you cannot simply edit this and presto every time you place your finger it will work on my name and so on. further more you cannot produce an image of my fingerprint from this source.
No. I would feel unsafe. However, I would be fine with exceptions to companies like Facebook, Twitter; companies that work with Apple.
You do know that your fingerprint data will not be shared with anybody or anything outside of the secure area on the specific iOS device, right?
This is just replacing the password prompt with TouchID prompt. Only iOS will be authorizing this, no other processes will see this. All they’ll see is a success message from iOS saying that the fingerprint matches and the app can proceed as if the user has been authorized.
This would not be any less secure than your typical password prompts in current app.
Facebook…really. You trust Facebook. God help us all.
Right…Not sure I agree or disagree with you that they shouldn’t allow an API, but the fact that someone thinks it’d be okay in limited capacity to people like Facebook is HALAROUS!! Literally lol’d when I saw the FB/Twitter comment.
HILARIOUS*!!
OK, don’t allow access to most developers; but companies like Facebook that have a history of blatantly ignoring user privacy and making money via marketing of user data is fine with you??? Would you like to purchase the Brooklyn Bridge? I can sell it to you at a great price!!!
Let’s be realistic. If Apple were to provide developer access; it would not be access to the actual biometric data. Supposedly, not even Apple has direct access to that information. It is encrypted on the device in such a manner that the only thing available even to the built-in Apple software is a confirmation of whether or not a fingerprint being currently scanned is a match to one stored in the sequestered hardware storage.
The API access that Apple would most likely provide would be the ability to call upon Apple’s built-in scan protocol (initiate a scan) and a boolean scan result. (Yes it is a match to a fingerprint registered on the device; or no, it is not)
Such simple API access would make applications such as 1Password far easier to use. Instead of having to type in my master password on my iPhone (Large hands make this far more difficult to perform on the iPhone keyboard than on my computer keyboard). It would also provide a desirable function if users could selectively lock-out access to specific applications without fingerprint or user unlock code input. You could let kids or friends borrow the iDevice briefly; knowing that private information stored in certain apps can not be accessed without your personal involvement.
You would seriously be ok with Facebook having access to your fingerprints because “Apple works with them”? A company that claims they own the rights to any image or post on their site….?! You are insane.
As another commenter alluded to, the authentication process itself would be a closed system. Absolutely NO 3rd parties should/would have access to authentication data beyond approval, disapproval and which finger provided the input. THAT is the ONLY data that should be exposed to any 3rd Parties ESPECIALLY PERSONAL DATA ABUSERS LIKE FACEBOOK.
you feel safe with facebook?
This has been the plan from development, so not sure why it’s a question.
the question is not too clear.. It should not be opened to developers of course! it is kinda a privacy breach
What privacy breach? Your fingerprint is never going to be shared with anybody, it’s never going to leave the secure area on the CPU itself inside your iOS device.
This is just replacing the password prompt with TouchID prompt, only iOS will be involved in the authorization process. The apps itself will get “success”/”fail” messages from iOS. If it was successful, the app proceed, and if not, it’ll fail and maybe revert to the password prompt.
Such is the same we’ve been told about Contact & Location data. Mistakes have been made in those areas. Prepared to gamble with your fingerprint data too?
@PMZanetti, It’s not the same as Contact & Location Data at all. Applications had access to contact and location data in clear text. Fingerprint authentication works in a completely different way: when a finger is scanned, the image gets ‘hashed’ and checked against a hashed value saved on the CPU, if they match the API returns YES, else it returns NO (there is no access to the actual fingerprint image whatsoever.) It’s exactly the same as entering your iTunes password: it gets encrypted/hashed locally, sent over the internet to Apple’s servers where it gets checked to see if it matches the one on record, then it returns YES or NO.
@towamp, be careful with the “exactly the same as iTunes”. TouchID is checked against the hashed value on the CPU only, it never leaves the CPU. In other words, no TouchID is not transmitted over the Internet.
I think Apple should, but it find It quite interesting that hardly anyone is questioning Samsung’s implementation and how secure it is. After the 5S was announced there were all these stories questioning if it was secure, could it be hacked, etc. Had Apple opened up Touch ID to developers from day one the hysteria would have been 10x what it was. With the Galaxy S5 it’s crickets.
I think they’ll release more info in the coming weeks about how they’ll implement it.
“With the Galaxy S5 it’s crickets.”
In more ways than one…
Part of the problem there is people see the Samsung implementation and just ignore it because they think that it works like the Apple version. But this is a Google/Android device so you already know all that data will be sent to Google for “advertising” purposes.
Then once people realise that its not the same as Apples implementation a few will kick up a stink but most wont say anything or shrug their shoulders with an oh well its too late now, we will stop them next time attitude and just go about their day, complacent as ever.
The lack of a developer API was my single biggest disappointment with it’s introduction and I’ve stated so here several times.
I’m 99% certain we’ll see one this year. Just like we’ll see touch id on iPads.
Apple doesn’t release everything at once, they’ll add new features over time with new APIs.
That’s my main issue with Apple as of late. They release a gimped version of something and then a year later add a feature that everyone says should have been there in the first place. This incremental release stuff is nonsense.
I guess it’s an issue with tech in general lately, though.
Dude, most of the time, this is the right way to do development if you want to focus on stability firstmost.
Apple is not releasing a gimped version, they’re releasing the most basic implementation first, and then add more over time in a process that doesn’t add bugs more than it add features.
There’s nothing gimped about the 5S. I have no problem with Apple taking their time to make sure the implementation is just right.
I understand the viewpoint, but when it leaves a product without features that were ready and should have been there, it is a negative in many people’s eyes. The 5S is a great product, no doubt.
Wow, so what you want Apple to do is postpone the implementation of TouchID for 3-4 more years, just to make sure it comes with all the features?
Thank god Apple and the rest of the industry isn’t listening to you, because everything will move much slower with your ideals.
No, you don’t seem to understand and more explaining won’t help, apparently.
From the way iPhone development and advancements have gone, I’d hazard a guess that yes, that’s the plan, and that it wasn’t wide open from the get go to warm people up to the concept as well as to work out any issues with the system
No. I think Apple should keep it a secret. Why give shaddy devs the tools to figure out how to do bad things with it.
I don’t know what you’re thinking about, but this isn’t opening up the fingerprint data but the actual TouchID prompt itself.
Instead of the password prompt from the app, the app can ask iOS to bring up the TouchID prompt and confirm if the user is the owner of the device. The app only sees “success”/”fail” message from iOS.
In the other words, the developers are not going to see any of your private data, only messages from iOS.
Just like the apps don’t know about your AppleID account nor the credit card information when you do the In-App payments for the app.
@mikhailt: Well said.
We have an iOS app that is used by drivers for paratransit (elderly and disabled). Often the riders have to sign on the device to show that they took the trip. This can be a potentially embarrassing scenario for somebody to handle an iPad with diminished hand control due to an illness or weakness due to a treatment like chemo or dialysis. If they could just touch the fingerprint sensor to prove ridership and we could look that up against a database, it would be an easier process for the rider.
If I understand you correctly, you’re unlikely to get a solution from Apple for that scenario: It would involve giving access to fingerprint data to a third party.
AAL THE PAYMENTS THROUGH iTunes ACCOUNT, operated with touch id.
The answer here shows specifically the problem with Apple opening TouchID to 3rd party devs. It’s not so much the act of doing it but the perception of the general public about how their fingerprint could be used. It was hard enough when it wasn’t opened up to 3rd party devs and some posts came out saying how the TouchID could be spoofed without thoroughly explaining the hard work that would be needed in order to do it. Apple would either need to explain to general users that the apps wouldn’t have the fingerprint data but just get a yes or no answer. Samsung and other manufacturers fly by the seat of their pants and they will make it available to whomever. I just wonder why it’s not as big a deal as it would be if Apple announced that they were doing it?
Great comment. People also don’t realize (because they haven’t been educated properly and are easily fooled by folks with agendas) that all that hard work to pull the print and spoof TouchID was also done in a completely unrealistic laboratory type scenario…they cleaned the sensor, made one single perfect print, and then lifted it carefully and proceeded with further work. In real life, the real world, this will never ever happen because no one cleans their home button after every single press, LOL. So after normal use, the home button is covered with a complete mess of multiple fingerprints (even if the same, but from slightly different angles and positions) that makes it impossible to lift a print, period. Let me be very clear to anyone reading this –> You cannot lift a clean fingerprint from the iPhone’s home button because it’s been pressed numerous times and has a numerous overlapping instances of the person’s fingerprint(s) which makes it impossible to lift a single print, which is what is required to spoof anything.
On to Samsung… People are probably not going to interrogate them as much as Apple over the fingerprint authentication because the idea of fingerprint security on a phone is already done in a massive way thanks to the iPhone 5S, so people are just used to it now and will assume it’s safe and works “somehow”. Apple got so much flack over it because they were the first to do it on such a large scale (no one remembers the Motorola Atrix which sold a tiny fraction of the iPhone 5S). So Samsung will get a pass most likely because it’s riding Apple’s coattails on the fingerprint scanning thing. With them only how the data is stored is an issue, it would be inherently impossible to lift a print since their implementation is swipe. Swiping your fingerprint won’t be nearly as reliable and also fairly impossible one handed, so Apple’s implementation is of course much better, but Samsung’s method will avoid the hacker’s attempts to lift prints by design. Sadly, the first part of my comment is what people don’t understand so I fear all the ignorance out there about how these things get used will create the false impression that Samsung’s method is safer since a print can’t be lifted (even though as I explained, a print cannot be lifted from the iPhone’s home button either because in real life, there is not a single clean print on there).
I think that is where things are heading to because it will be a one factor authentication yes/no which custom apps can utilise right?
Apples walled garden approach to an OS and app development would also indicate they wouldn’t open up the finger print reader completely to devs like myself.
However, what they might do is expose a simple API for devs to use, such as a simple function call to the OS to verify to the users identity (in a similar way to how apps need to get authorization from the user to use GPS, get access to the contacts list, etc), the return value from this function would be a straight forward boolean, confirming that the current user is the owner of the phone.
A function like this would enable apps to secure their apps by only allowing them to be used if the users identify was verified. I could also see this being used to accelerate payments done via PayPal and similar apps, though there would be other security implication that would come from authorizing payments using such a simple api.
Personally I’d love to have access to a function like the one described. It would massively improve the user experience IMO.
I think it’s a non-issue – it doesn’t work well enough to matter. I clear and configure new fingerprints and they work 50% of the time for a week or so, then they never work until I bother to reset them. It’s an “anti-feature”.
Try setting the same finger for multiple slots. That increased the accuracy for me, now it works 9/10 times (before it was something like 7/10)
With rather strict guidelines, yeah
Apple should NOT allow access to the sensor. It should NOT allow access to fingerprint data, but it SHOULD provide a simple success/fail API to allow apps to auth against the sandboxed fingerprint data via iOS.
That way there’s no opportunity for abuse, and apps can still avoid password entry. Really no other kind of access is required.
yea. That makes sense to me.
People should keep in mind that fingerprints should only be used for trivial authentication needs local to the device itself. Anything traversing a network should require a password as well.
Why? Because unlike passwords, fingerprints can’t be changed if compromised, and they’re fairly easily collected.
Right so lets say there is a bank app, chase for example. I don’t think the password is stored local so it needs to be typed and sent over network each time. But what if the password gets saved to device like how keychain access saves passwords on a mac and then touch id is used as a way to authenticate autofill for the last saved password. You could still change your password, but if you try to use touch id after it has been changed it could could come up with a prompt to update the stored password. The situation being that if you did loose your device and were concerned someone could possibly lift your fingerprint you could change the password and your bank account would be safe. I’d be down.
As a developer: Yes and No. Yes I want users to be able to authenticate themselves and to be able to check that authentication via the SDK. No I don’t want my or any other app constantly demanding users touch the fingerprint sensor.
what? why would it be constantly be demanding it? It would only be an option for any case were the user needed to input a password before. Like how when the user is asked for a password to buy an app from the App Store the password text field comes up but they could use touch id instead.
Because every single app that supported it would demand a swipe. Each would be implemented differently. It would also depend on the current design of the fingerprint biometric identification. Would it not be better if Apple provided an SDK that would verify the users’ identity via the existing key chain and keep the actual implementation and hardware details away from the app developer? This way they are free to add retina scanning or change the way the fingerprint sensor works and our apps would keep running and not pester the user every time they switch apps.
The hardware Apple should provide access to is WiFi. WiFi was created for the public to use so why does Apple not provide an SDK for it? Android has a WiFi SDK. That means that many apps can never be ported to iOS because it lacks the basic ability for apps to communicate via WiFi. Apple has a very nice Bluetooth SDK so I have no idea why they ruled out WiFi communications.
Apple should open Siri API at first.
It really limits the potential of the hardware if it can only be used for first-party apps. I’m sure there’s a way Apple can still maintain a high level of security while still allowing developers to use its functionality.
Here’s my two cents:
Yes Apple should open it up to debs, but but EXTREMELY careful about it. I would never even dream of using it unless they can confirm three things:
1) The data of my fingerprint will not be synced through iCloud. I see the iCloud symbol up there as the icon for enabling the ability to developers, however I feel as though that makes the data of the fingerprint way too vulnerable
2) The app will not, absolutely WILL NOT be able to directly read fingerprints. It will say “iOS, does the fingerprint scanned match one of the five fingerprints the user has scanned for use? Yes/No?”. Either that, or t will say “These are the names of the five fingerprints you have scanned. I only know there names, nothing else. Please select the ones you want to be able to activate my options (so that friends or family can unlock my phone but not withdraw money from my account)”.
3) The data is, absolutely, 100%, beyond a shadow of a doubt impenetrably sealed from any API, coding, or any aspect of programming available on a non-jailbroken (or even jailbroken) iPhone. Apple has done a good job of putting the consumers before business, and this would be a great option to do it. No matter at what cost it comes to as developers, an encrypted section of the system that is closed off to third parties should be the only section of the phone to access the actual data of the scanned fingerprint from now until the day the scanner is obsolete.
Have no fear, this is already how Apple implements TouchID within iOS. There is no place that fingerprint data is stored. The scan is hashed inside the TouchID sensor itself, and that data is then stored inside an enclave in the A7 CPU which has zero access to the outside world. All iOS can ever provide, by current (and of course future) design is the YES or NO you are mentioning. So an API for 3rd party apps could only have a single return variable of TRUE or FALSE, that’s it. It would never work any other way unless Apple purposefully made it work differently which they obviously would not. So nothing on the phone even has a direct image of your print stored anywhere.
Not yet. They should endeavor to produce more and more hack-proof finger sensors and integrate them with face cam recognition with proprietary software.
I dont see the problem with Apple open up “access” to their fingerprint sensor since not even Apple itself stores the print data. Your fingerprint lives encrypted in your device’s processor so there is nothing for Apple to “give away” beyond a “yes” or “no” access type. I suppose people who are freaking out about it simply do not understand that there is nothing to steal or to hack into, you either get more features or you dont, there are total of 0 security compromises in between.
ROFL…see how easy tyranny becomes mainstay. Hilarious. “I mean, why not??!?!?”
I’m just wondering what the big deal is with this… So what if they have access to your fingerprint data..what can they do with it apart from making silicon fingertips like in the movies. The iPhone location service is far more intrusive if you ask me…it knows where you are and where you’ve been. Anybody can get your fingerprints..they just have to follow you around for a few minutes and as soon as you touch something voila…fresh fingerprints for the picking. Unless they find a way to reverse-engineer the fingerprint data to then re-send the data to the sensor making it believe you just entered your fingerprint then I don’t see where the problem is.
To get a yes or no from the API, would Apple actually have to open up the fingerprint data to developers? I’m concerned from a security stand point. How easy would it be to slip a bit of code into an app that redirects your fingerprint data??
Isn’t this why Apple will have their own money service like PayPal? So Apple will have details for your cards and then use touch ID instead of a password :) so if you want to buy something off Amazon’s iPhone app, it will use your Apple ID which is linked to your touch ID. So I think Apple will open it but they will have control and have their own service like PayPal.
I just wish I never have to type in a password for touch id purchases. (i.e. after you restart the phone, seems counterproductive since after you restart the phone you have to input passcode to use touch id for the phone itself, should that be protection enough for app store purchase???)
shouldn’t*
for sure No, after so many cases that developers were doing some sh*t with our contacts and personal data, if we handover our finger print to them, it means death of our life, i simply don’t trust this much.
Yes, Apple should allow apps to request for a scan and know whether this was successful.
Developers shouldn’t get any more access than that, though.
One other thing I’d love to see implemented… and should be relatively easy, depending on how the “ring” is scanned (electrically)… would be to allow users to change applications by swiping on the home button left and right.
The current double-tap solution is a bit clunky and slow. If the “ring” could detect swipes, it’d be very cunning.
NO!! this doesn’t benefit anyone expect iphone gets hacked!
No. The reason is because people can find or otherwise exploit the source to override its need to have the actual initial finger prints. Let it be closed source. I was all out for making iOS open source but considering the fact that even if it is not open source there is possible larger flaws in it, it’s for the well being of the users for it to be closed source. Take the recent SSL flaw for example. Not only iOS 7.0.4-5 but also 6.1.3-5 were infected and apple had to release a new update which obviously had the fix.
Take a note that they could have released a jailbreak patch in that update but they know that there are too many users using jb and releasing an update to a rather old firmware isn’t too smart.
Nay!
Apple should get rid of this biometric altogether — I do not and never plan to use it…
There are so many here that evidently haven’t read the white paper, or anything that has been said about how the Touch ID sensor and accompanying private area on the chip works. Yes it should be opened up as there’s no risk of your fingerprint going missing. As Apple isn’t even able to retrieve your fingerprint, a third party developer most certainly won’t be able to and I would be amused to see them attempt it. Just open up an API to authenticate with a simple ‘YES’ or ‘NO’ and you’re done. I’d very much like to do my banking by Touch ID.