Apple Pay on the wrist: How Apple’s watch gets around the ID problem

Apple Pay on the wrist: How Apple’s watch gets around the ID problem

Apple only gave a fleeting demo of how contactless payments would work on its new Apple Watch at its Spring Forward event on Monday, but it was an impressive one. You select a card from Passbook in the watch interface and then tap the wearable device against it or wave it over the payment terminal and, presto, your credit card is charged. The watch emits a tone and a vibration to show the transaction has gone through.

Furthermore, according to reports from the event, Apple Pay doesn’t always need to be manually activated in the watch. If you move your hand close to a near-field communications (NFC) based terminal, the app will immediately become active and use your primary credit card for payment — most likely the terminal’s NFC radio “wakes up” the NFC chip along with the Pay app in the Watch.

There also doesn’t seem to be any passcode or other ID authentication necessary. Most retailers will ask for signature –– after the EMV transition this year, many will start asking for PIN codes –– if the purchase is over $20 or $25, but Apple seems to removing every other barrier possible to a simple tap-and-go payments in its new wearable device.

But how does Apple do this with compromising security? Rather ingeniously actually. The Apple Watch appears to use its other sensors to make an indirect ID. Last week at Oracle Arena, Apple head of internet software services Eddy Cue explained that the watch senses when you put it on and then asks for authentication, which you can give either by supplying a fingerprint on the iPhone 6 or 6 Plus. If you’re using an iPhone 5 or 5s, which don’t support Apple Pay directly, you can enter a PIN code in the phone’s app or on the watch itself.

After that, as long as the Apple Watch is clamped to your wrist, your authentication is valid in Apple Pay. But as soon as the watch detects that you’ve removed it, Apple Pay locks up, requiring you to re-authenticate to re-activate it.

This means you won’t be handing your wristwatch to your waiter to pay your check, but most people probably don’t want to see their new $350-plus fashion accessory disappear behind the bar anyway. Short of a desperate criminal cutting off your hand at the forearm, it’s a pretty full-proof system: Apple Pay is active when the watch is on your wrist, and it’s nullified when the watch comes off.

What’s particularly interesting to think about is how this kind of variable authentication might be used to validate different types of transactions in the future. Anyone who has ever shopped with a piece of plastic knows that different levels of security come into play depending on what and where you’re buying. For instance, self-service gas stations typically ask for your zip code at the pump. Signature requirements kick in at a grocery store if you rack up a high enough bill. And if you’re making a big dollar-amount purchase, a clerk will often ask to see a picture ID.
Read full article>>