Apple today won a patent that describes a solution for an iCloud-based fingerprint storage and seamless cross-device syncing solution (via AppleInsider). While it may sound great to skip the Touch ID setup process (you save 20–30 seconds), the problem with this patent is that it undermines the company’s earlier claims about Touch ID and the security measures they took to protect your sensitive data.
When it introduced the fingerprint sensor branded as Touch ID with the iPhone 5s, Apple said: Touch ID doesn’t store any images of your fingerprint; iOS and apps never access your fingerprint data; it’s never stored on Apple’s servers; and it’s never backed up to iCloud or anywhere else. Only Touch ID uses it, and it can’t be used to match against other fingerprint databases.
As described in the patent for “Fingerprint biometric sensor data synchronization via cloud computing device and related methods”, iOS may instruct the owner to validate their Apple ID account information before enrolling a fingerprint using Touch ID. When ready, the gathered data is encrypted and uploaded to iCloud.
In other words, your fingerprint will be stored under your Apple ID and will be associated with all the data you share with Apple by creating an Apple ID.
Why would you do that? Apple says:
Applied to a real life scenario, the patent describes an interesting use case involving mobile-based purchases much like the touchless Apple Pay digital wallet found in the iPhone 6 and 6 Plus. In this scenario, the second device in the system would be a point of sale terminal equipped with a touchscreen, speaker and fingerprint sensor. A user’s biometric data is sensed and matched in a process similar to previously discussed embodiments, then used to validate a purchase.[…] As noted, the POS terminal may not need to download a user’s actual fingerprint, instead sending its own to-be matched biometric data to iCloud or a user’s iPhone for processing.
In the light of recent iCloud hacks, the iCloud-based Touch ID verification system doesn’t look too good. I hope Apple reconsiders implementing it.
The patent was first filed for in July 2013 and credits Authentec’s CTO Greg Kerr as its inventor.