Ars Technica On Touch ID's Security Implications

11 September 2013

Ars Technica:

The other potential security drawback of Touch ID stems from its ability to be used to approve purchases from the iTunes, App, and iBooks stores. If Apple is right that fingerprints never leave the device, that means the new iPhones will be sending some sort of authentication token to Apple servers to verify that the end user has produced a valid print. This arrangement leaves some security experts uncomfortable. If attackers figure out a way to capture and replay users’ valid tokens, it could lead to new ways for criminals to hijack user accounts.

I don’t think this is accurate. The resultant server traffic will be the same as if you had typed in your password.

iOS substitutes your fingerprint for your password locally and then continues doing its normal authentication procedure, whatever that entails. Additional authentication tokens aren’t necessary.