This is confusing authentication and authorization. Is this phone legitimately tied to this Apple ID? Yes. Is the owner of the account authorized to make such a purchase? No.
A short appstore PIN could solve this much more easily.
I'm not so sure having _yet another_ PIN for users to remember would be a good idea. And besides, a short PIN would be far easier to deduce by looking over a person's shoulder.
That said, it would be nice to have the option of telling the app to cache your credentials.