Now Pay combined with Watch raises a question

iFanaddic

macrumors 6502a
Original poster
Sep 24, 2008
799
231
Montréal, Canada
I thought  Pay was safe due to its close integration with touchID. Now if you can pay with using only the  Watch it kind of defeats the whole security purpose? I'm sure Apple won't make you get the iphone out, unlock with touchID, only to put it back in your pocket and pay with your watch. It makes no sense...?

Could the crown be a touchID as well? What's the deal here?
 

Thud71

macrumors newbie
Sep 9, 2014
1
0
I read somewhere today that you will pair the watch with your phone, just like you would any Bluetooth device; and as long as the watch remains in contact with your skin it remains authenticated for use with Apple Pay. As soon as it breaks contact you would have to pair it again.
 

CausticPuppy

macrumors 65816
May 1, 2012
1,483
18
I thought  Pay was safe due to its close integration with touchID. Now if you can pay with using only the  Watch it kind of defeats the whole security purpose? I'm sure Apple won't make you get the iphone out, unlock with touchID, only to put it back in your pocket and pay with your watch. It makes no sense...?

Could the crown be a touchID as well? What's the deal here?
With iPhone 6: Pull your iPhone out of your pocket, hold it up to the scanner, then hit the TouchID button on your phone to confirm.

With iPhone 5S+watch: Pull your iPhone out of your pocket, hold your watch up to the scanner, then hit the TouchID button on your phone to confirm.

If you keep your phone in your left pocket and wear your watch on your left hand, it's nearly the same thing as using an iPhone 6.
 

iFanaddic

macrumors 6502a
Original poster
Sep 24, 2008
799
231
Montréal, Canada
I read somewhere today that you will pair the watch with your phone, just like you would any Bluetooth device; and as long as the watch remains in contact with your skin it remains authenticated for use with Apple Pay. As soon as it breaks contact you would have to pair it again.


that would make a lot of sense, ID'd once and good to go.

Any source?

----------

With iPhone 6: Pull your iPhone out of your pocket, hold it up to the scanner, then hit the TouchID button on your phone to confirm.

With iPhone 5S+watch: Pull your iPhone out of your pocket, hold your watch up to the scanner, then hit the TouchID button on your phone to confirm.
.
Doubt it.

Apple said you could pay with the watch, but a combination of watch & phone. Thats just not what apple does, maybe for the 5s since it doesnt have NFC but 6 users will not have to take their phones out.
 

douglasf13

macrumors 68000
Jul 2, 2010
1,601
782
I read somewhere today that you will pair the watch with your phone, just like you would any Bluetooth device; and as long as the watch remains in contact with your skin it remains authenticated for use with Apple Pay. As soon as it breaks contact you would have to pair it again.
I hope that's true. I was wondering how that would work.
 

Jacksonc

macrumors 6502
Dec 1, 2013
381
0
Jony's house
It's possible that it uses sensors to know who is wearing it. Of course you could steal money by grabbing someone's arm and holding it up to the sensor. Here's an unreleased apple watch ad. "Reinventing pick pocketing early 2015" just kidding
 

ilovemyibook

macrumors 6502
Mar 19, 2006
251
8
My guess is that you need to have your iPhone 6 on your person. What's the chance of your phone AND watch being lost/stolen?
 

ctdonath

macrumors 65816
Mar 11, 2009
1,499
482
Just for perspective: a thief just needs the 23 numbers & name off your credit card, easily done with a camera, to violate your CC security.
 

gooberwilson

macrumors regular
Jul 21, 2012
124
0
Canada
Rene Ritchie answered this question in a tweet today.

"Passcode to authorize when you put it on, valid until it breaks skin contact."

Makes perfect sense.
 

NT1440

macrumors G5
May 18, 2008
12,313
15,338
I thought  Pay was safe due to its close integration with touchID. Now if you can pay with using only the  Watch it kind of defeats the whole security purpose? I'm sure Apple won't make you get the iphone out, unlock with touchID, only to put it back in your pocket and pay with your watch. It makes no sense...?

Could the crown be a touchID as well? What's the deal here?
Your heartbeat has a signature beat to it, which authenticates you as the user (along with your phone being located very close by via BT). In other words, if someone else took your watch and wore it, they would not be able to pay for things.

I guarantee this patent plays a role: http://www.patentlyapple.com/patent...nt-leap-in-biometrics-with-heart-sensors.html

 

kdarling

macrumors P6
It already monitors your pulse. That same sensor is used to know if the watch is removed.
Correct. The downside is that will use a bit more battery to constantly check to see if it's been removed. Depends on how often it does so.

Your heartbeat has a signature beat to it,...
(snip)

I guarantee this patent plays a role:
Not on the Apple Watch, unless it has external electrodes we don't know about.

You see, LED blood pulse monitors on extremities, such as current smartwatches such as Apple's have, are not useful for authentication.

What that patent is about, is reading the heart's ELECTRICAL signals. Those have been proven to be unique enough to use for authentication.

Totally different things. Pulses don't follow heartbeats exactly, or even necessarily closely.
 

Supermallet

macrumors 65816
Sep 19, 2014
1,307
656
Here's my question: Part of what makes Apple Pay so attractive to security minded people is that your payment information is all kept on the secure element of the phone. Does the watch also have a secure element, or is it just pulling data from your phone's secure element and passing it along to the NFC reader?
 

betabeta

macrumors 6502a
Jun 28, 2013
868
146
Here's my question: Part of what makes Apple Pay so attractive to security minded people is that your payment information is all kept on the secure element of the phone. Does the watch also have a secure element, or is it just pulling data from your phone's secure element and passing it along to the NFC reader?
Good question, I hope it does have it's own secure element, but I think it will just get it from the phone. My success rate of Bluetooth with airdrop is touchy at best, makes me wonder how upsetting it will be when it fails to pair when I want to buy something. If after a few seconds it fails to pair and you have to pull out your phone, that will certainly be a super fail.

The one thing I like is all your information safe, not just :apple:Pay, so as soon as it's off your wrist you would need to use your phones touch ID or passcode to have the watch work again.

So a person takes your watch has nothing, it's locked.
 

Supermallet

macrumors 65816
Sep 19, 2014
1,307
656
You shouldn't have pairing problems at the register unless you're turning off either the watch or the phone and then pairing them again when you get to the register. Otherwise you just pair when you put the watch on and leave it paired throughout the day.

The thing that has me wondering about the secure element is that I recall reading somewhere that the watch can do Apple Pay without being connected to a phone. If that's the case, it better have a secure element otherwise I'm not interested in using it.
 

kdarling

macrumors P6
The thing that has me wondering about the secure element is that I recall reading somewhere that the watch can do Apple Pay without being connected to a phone. If that's the case, it better have a secure element otherwise I'm not interested in using it.
Why not? :)

We use credit cards every day with little or no security (at least, in the US).

The watch is already more secure than that, because it requires a PIN to authorize it each time we put it on. That's logically the same as requiring a PIN each time it's used. If someone steals it off our wrist, it's de-activated for payment.

--

That said..

The watch could either act as a dumb communications intermediary, or handle the NFC transaction locally.

If it just passes info back and forth from the phone, then it needs no Secure Element.

However, the watch very likely handles things locally, simply because entire tap transactions have time limits as low as 150ms, and we wouldn't want things to get screwed up waiting to talk to the mother phone. So it would have a copy of our info... or more likely, a time-limited copy.

If it does handle it all locally, then it'll need a Secure Element not so much for the info itself, which should be pretty safe from sandboxed third party apps (unless someone figures out a way to jailbreak the watch), but more so that it can run its own local copy of each of the card scheme specific payment apps.

Which brings up again the whole topic of who provisions the MC/ Visa/ Amex/ etc apps in the SEs. Normally this is done via a link of backend providers and trusted service managers like First Data. Doesn't the watch have WiFi? Maybe it can access updates on its own?
 

phr0ze

macrumors 6502a
Jun 14, 2012
513
0
Columbia, MD
Correct. The downside is that will use a bit more battery to constantly check to see if it's been removed. Depends on how often it does so.
Knowing Apple, the amount of power needed for detecting removal will not be the same for reading the pulse. Similar to how the new iphone 6 has two motion sensors for lower power motion tracking.
 
Rene Ritchie answered this question in a tweet today.

"Passcode to authorize when you put it on, valid until it breaks skin contact."

Makes perfect sense.
I think that's a great option/fallback. But I think it would be even better to authenticate the watch whenever you use Touch ID on a bluetooth paired iPhone (5S or 6). Then as long as the iPhone remains paired and the watch maintains skin contact, then apple pay should work automatically. I don't necesarily want to type a pin into my watch every day, but I'll be using touch ID all the time. It would make the authentication process completely invisible
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.