TouchID – Out Of the Phone And Into The Cloud

TouchID isn’t new – in fact it was first launched in September of 2013 as “an innovative way to simply and securely unlock your phone with just the touch of a finger.” A year later, it was part of the magic of Apple Pay. And yesterday (Jan. 15), we were given a look at a new innovation that could usher in the next generation of Apple Pay – the iCloud-based TouchID.

This patent takes fingerprints out of the phone and into the cloud, literally. The patent filing describes a scenario that, among other things, allows a customer to use Apple Pay at a merchant’s Touch ID-equipped point-of-sale terminal with just her fingerprint and PIN, but without the smartphone being present.

The application describes a system for using Touch ID to verify payments and authenticate users remotely, was only published by the U.S. Patent and Trademark Office Jan. 15, but was filed in July 2013, two months before Apple announced Touch ID. The application requests a patent for a “Finger biometric sensor data synchronization via a cloud computing device and related methods.”

The application describes a variety of ways that an iPhone or iPad user’s fingerprint that has been collected for Touch ID authentication could be used between devices, sending information through a network or local wireless link or storing it in Apple’s iCloud.

One way would involve collecting a fingerprint on a Touch ID device and then uploading it to iCloud, where it could be stored for configuring other devices. (For security, the fingerprint data would be commingled with an Apple ID or PIN.)

Alternatively, two devices could connect and transfer encrypted biometric data over a local wireless such as NFC or Bluetooth, which would avoid sending the data across public networks, which is banned by some governmental restrictions.

The user would have to validate her Apple ID before registering fingerprints, just as seen in a pass code. Once registered, the data is encrypted and sent to the cloud. To use a fingerprint on another device, the user would just have to verify them with the fingerprints verified on the initial device. No matter what device was being used, if the fingerprints match, the user would be ready to use Apple Pay.

Taking it a step further, the second device envisioned in this scenario could be an Apple Pay enabled POS system, one that you would use to buy items via Apple Pay. The POS would have a fingerprint sensor that a user would tap to validate the “to be matched” set of fingerprints.

The application also describes using a merchant’s Touch ID-equipped point-of-sale device for an iPhone-not-present Apple Pay transaction. The POS terminal would collect a customer’s fingerprint, encrypt the biometric data and PIN and send them via iCloud to the customer’s iPhone, where it would be compared with the original Touch ID fingerprint data. The customer’s phone would then send confirmation back to the POS terminal for the transaction to proceed.

The application says the fingerprint comparison could also be made in the cloud or even within the POS terminal, though both those would run contrary to Apple’s claim that Touch ID data stored in an iPhone and would never leave the device. However, the application was filed before Apple Pay’s scheme was likely fully developed.

Some have questioned whether Apple would actually use this approach, given the number of potential security issues it raises, including the fact that even if a customer’s original Touch ID biometric data remained safe on the iPhone, a matching fingerprint captured at the merchant’s POS would still be sent across the network.

And while the prospect of cyberthieves decrypting that data might be even less likely than cyberthieves spoofing Apple Pay tokens to make fraudulent purchases, practical fraud might be as simple as lifting a copy of the customer’s fingerprint and stealing the PIN, since the iPhone itself would no longer need to be present for a transaction.

Apple isn’t the only technology leader that’s introduced fingerprint sensors. Some Samsung model phones have a fingerprint reader which, just like Touch ID, can register a fingerprint. But to use the scanner, users slide a finger across the screen and cannot tap or touch the scanner like Apple’s technology. Samsung discovered that its technology wasn’t foolproof, as it was reportedly hacked with wood glue within a week of release. Samsung followed up that glitch by filing patents that imply it’s investigating a much more complex use of fingerprinting technology. Recent reports show that Apple may face the same issues as a hacker demonstrated how an image of a fingerprint, along with some software could break through the iPhone 6’s Touch ID.

That said, those security issues shouldn’t necessarily raise a ton of red flags, many tech experts have suggested, stating that “perfect security” does not exist and that fingerprints can be more secure than PIN codes, even if they are not always reliable. One of the biggest criticisms of Touch ID and fingerprint sensors is not the risk of being hacked, but the fact that they don’t always work 100 percent of the time.

Consumers may not have their finger on the concept of paying with their smartphones in stores quite yet, but that isn’t stopping Apple from refining the user experience so that it is safe, easy and one that consumers willingly embrace and use.