That's an edge case, though. Why not make it a configurable option?

This is definitely not an edge case. How many kids do you see at the grocery store with their noses in an iPhone will their parent(s) shop?

That said, it would be nice to have the option of telling the app to cache your credentials.

Edge case was perhaps the wrong term. It certainly is not a majority case. As I said- make it an option, everyone is happy.

Not the person who turns on the option to make their life easier and then complains because their kid spent $400.

?! Are you suggesting that everyone should be denied the choice because some people are unable to make informed decisions?

This is confusing authentication and authorization. Is this phone legitimately tied to this Apple ID? Yes. Is the owner of the account authorized to make such a purchase? No.

A short appstore PIN could solve this much more easily.

I'm not so sure having _yet another_ PIN for users to remember would be a good idea. And besides, a short PIN would be far easier to deduce by looking over a person's shoulder.

It is a configurable option (Settings -> General -> Restrictions)

Yeah, it's configurable between "Demand my password again if 15 minutes has passed" and "Demand my password again immediately." You can tell you're going in the wrong direction when you first have to "enable restrictions" hoping to relax the restriction. I take it you've never actually tried to configure this option.

Holy not an edge case Batman! That is most definitely a very common reason to timeout the password...

Oh my god that is so not an edge case.

How about using fingerprint scanner for authentication? Or face recognition using front-facing camera? It's 2012 after all.

The Samsung Galaxy S3 has face recognition. It can be unlocked using a photo of the user. Google Images search, point cam at laptop, bingo you're in.

They "fixed" this in JellyBean.

too many false positives.

Now, an SD card with a certificate plus face recognition might be ok ;-)

Why an SD card? The phone itself is already a portable device you control.

It depends on the app but at least in the areas I work (business apps relating to tracking money) I wouldn't assume that device authentication is sufficient.

But for biometrics, keep in mind that biometric systems are currently seen as the most subject to false positives of any authentication system out there with the possible exception of improperly maintained and insufficiently strong passwords.