Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Now Pay combined with Watch raises a question

iFanaddic

iFanaddic

macrumors 6502a
Original poster
Sep 24, 2008
839
302
Montréal, Canada
I thought  Pay was safe due to its close integration with touchID. Now if you can pay with using only the  Watch it kind of defeats the whole security purpose? I'm sure Apple won't make you get the iphone out, unlock with touchID, only to put it back in your pocket and pay with your watch. It makes no sense...?

Could the crown be a touchID as well? What's the deal here?
 
I read somewhere today that you will pair the watch with your phone, just like you would any Bluetooth device; and as long as the watch remains in contact with your skin it remains authenticated for use with Apple Pay. As soon as it breaks contact you would have to pair it again.
 
iFanaddic said:
I thought  Pay was safe due to its close integration with touchID. Now if you can pay with using only the  Watch it kind of defeats the whole security purpose? I'm sure Apple won't make you get the iphone out, unlock with touchID, only to put it back in your pocket and pay with your watch. It makes no sense...?

Could the crown be a touchID as well? What's the deal here?
Click to expand...

With iPhone 6: Pull your iPhone out of your pocket, hold it up to the scanner, then hit the TouchID button on your phone to confirm.

With iPhone 5S+watch: Pull your iPhone out of your pocket, hold your watch up to the scanner, then hit the TouchID button on your phone to confirm.

If you keep your phone in your left pocket and wear your watch on your left hand, it's nearly the same thing as using an iPhone 6.
 
Thud71 said:
I read somewhere today that you will pair the watch with your phone, just like you would any Bluetooth device; and as long as the watch remains in contact with your skin it remains authenticated for use with Apple Pay. As soon as it breaks contact you would have to pair it again.
Click to expand...



that would make a lot of sense, ID'd once and good to go.

Any source?

----------
CausticPuppy said:
With iPhone 6: Pull your iPhone out of your pocket, hold it up to the scanner, then hit the TouchID button on your phone to confirm.

With iPhone 5S+watch: Pull your iPhone out of your pocket, hold your watch up to the scanner, then hit the TouchID button on your phone to confirm.
.
Click to expand...

Doubt it.

Apple said you could pay with the watch, but a combination of watch & phone. Thats just not what apple does, maybe for the 5s since it doesnt have NFC but 6 users will not have to take their phones out.
 
Thud71 said:
I read somewhere today that you will pair the watch with your phone, just like you would any Bluetooth device; and as long as the watch remains in contact with your skin it remains authenticated for use with Apple Pay. As soon as it breaks contact you would have to pair it again.
Click to expand...

I hope that's true. I was wondering how that would work.
 
It's possible that it uses sensors to know who is wearing it. Of course you could steal money by grabbing someone's arm and holding it up to the sensor. Here's an unreleased apple watch ad. "Reinventing pick pocketing early 2015" just kidding
 
My guess is that you need to have your iPhone 6 on your person. What's the chance of your phone AND watch being lost/stolen?
 
Just for perspective: a thief just needs the 23 numbers & name off your credit card, easily done with a camera, to violate your CC security.
 
Rene Ritchie answered this question in a tweet today.

"Passcode to authorize when you put it on, valid until it breaks skin contact."

Makes perfect sense.
 
iFanaddic said:
I thought  Pay was safe due to its close integration with touchID. Now if you can pay with using only the  Watch it kind of defeats the whole security purpose? I'm sure Apple won't make you get the iphone out, unlock with touchID, only to put it back in your pocket and pay with your watch. It makes no sense...?

Could the crown be a touchID as well? What's the deal here?
Click to expand...

Your heartbeat has a signature beat to it, which authenticates you as the user (along with your phone being located very close by via BT). In other words, if someone else took your watch and wore it, they would not be able to pay for things.

I guarantee this patent plays a role: http://www.patentlyapple.com/patent...nt-leap-in-biometrics-with-heart-sensors.html

6a0120a5580826970c0133ed51afba970b-800wi
 
phr0ze said:
It already monitors your pulse. That same sensor is used to know if the watch is removed.
Click to expand...

Correct. The downside is that will use a bit more battery to constantly check to see if it's been removed. Depends on how often it does so.

NT1440 said:
Your heartbeat has a signature beat to it,...
(snip)

I guarantee this patent plays a role:
Click to expand...

Not on the Apple Watch, unless it has external electrodes we don't know about.

You see, LED blood pulse monitors on extremities, such as current smartwatches such as Apple's have, are not useful for authentication.

What that patent is about, is reading the heart's ELECTRICAL signals. Those have been proven to be unique enough to use for authentication.

Totally different things. Pulses don't follow heartbeats exactly, or even necessarily closely.
 
Here's my question: Part of what makes Apple Pay so attractive to security minded people is that your payment information is all kept on the secure element of the phone. Does the watch also have a secure element, or is it just pulling data from your phone's secure element and passing it along to the NFC reader?
 
Supermallet said:
Here's my question: Part of what makes Apple Pay so attractive to security minded people is that your payment information is all kept on the secure element of the phone. Does the watch also have a secure element, or is it just pulling data from your phone's secure element and passing it along to the NFC reader?
Click to expand...

Good question, I hope it does have it's own secure element, but I think it will just get it from the phone. My success rate of Bluetooth with airdrop is touchy at best, makes me wonder how upsetting it will be when it fails to pair when I want to buy something. If after a few seconds it fails to pair and you have to pull out your phone, that will certainly be a super fail.

The one thing I like is all your information safe, not just :apple:Pay, so as soon as it's off your wrist you would need to use your phones touch ID or passcode to have the watch work again.

So a person takes your watch has nothing, it's locked.
 
You shouldn't have pairing problems at the register unless you're turning off either the watch or the phone and then pairing them again when you get to the register. Otherwise you just pair when you put the watch on and leave it paired throughout the day.

The thing that has me wondering about the secure element is that I recall reading somewhere that the watch can do Apple Pay without being connected to a phone. If that's the case, it better have a secure element otherwise I'm not interested in using it.
 
Supermallet said:
The thing that has me wondering about the secure element is that I recall reading somewhere that the watch can do Apple Pay without being connected to a phone. If that's the case, it better have a secure element otherwise I'm not interested in using it.
Click to expand...

Why not? :)

We use credit cards every day with little or no security (at least, in the US).

The watch is already more secure than that, because it requires a PIN to authorize it each time we put it on. That's logically the same as requiring a PIN each time it's used. If someone steals it off our wrist, it's de-activated for payment.

--

That said..

The watch could either act as a dumb communications intermediary, or handle the NFC transaction locally.

If it just passes info back and forth from the phone, then it needs no Secure Element.

However, the watch very likely handles things locally, simply because entire tap transactions have time limits as low as 150ms, and we wouldn't want things to get screwed up waiting to talk to the mother phone. So it would have a copy of our info... or more likely, a time-limited copy.

If it does handle it all locally, then it'll need a Secure Element not so much for the info itself, which should be pretty safe from sandboxed third party apps (unless someone figures out a way to jailbreak the watch), but more so that it can run its own local copy of each of the card scheme specific payment apps.

Which brings up again the whole topic of who provisions the MC/ Visa/ Amex/ etc apps in the SEs. Normally this is done via a link of backend providers and trusted service managers like First Data. Doesn't the watch have WiFi? Maybe it can access updates on its own?
 
kdarling said:
Correct. The downside is that will use a bit more battery to constantly check to see if it's been removed. Depends on how often it does so.
Click to expand...

Knowing Apple, the amount of power needed for detecting removal will not be the same for reading the pulse. Similar to how the new iphone 6 has two motion sensors for lower power motion tracking.
 
gooberwilson said:
Rene Ritchie answered this question in a tweet today.

"Passcode to authorize when you put it on, valid until it breaks skin contact."

Makes perfect sense.
Click to expand...

I think that's a great option/fallback. But I think it would be even better to authenticate the watch whenever you use Touch ID on a bluetooth paired iPhone (5S or 6). Then as long as the iPhone remains paired and the watch maintains skin contact, then apple pay should work automatically. I don't necesarily want to type a pin into my watch every day, but I'll be using touch ID all the time. It would make the authentication process completely invisible
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back