The U.S. Patent and Trademark Office on Thursday published an Apple patent application for an iCloud-based fingerprint storage and cross-device syncing solution, a system that could do away with manual Touch ID setup and power next-generation Apple Pay-enabled POS terminals.
As described in Apple's patent application for "Finger biometric sensor data synchronization via a cloud computing device and related methods," fingerprint data may be collected on a first primary device, then uploaded to iCloud for dissemination to secondary devices.
For safety reasons, the invention calls for a commingling of user fingerprint and account verification data, the latter consisting of a unique identifier like an Apple ID and passcode combination.
During initial iPhone setup, for example, iOS may instruct an owner to validate their Apple ID account information before enrolling a fingerprint via Touch ID. The gathered data is then encrypted and uploaded to iCloud. The process may be reversed depending on the implementation, but linking of biometric and account verification data is mandatory.
From there, iCloud can send user-specific data to a second iOS device, such as an iPad, to validate and execute various system operations. To make this work, Apple's system collects a "to-be matched" fingerprint from the second device's Touch ID module, as well as to-be matched account verification data. In one embodiment, downloading of the enrollment fingerprint is contingent on successfully matching both sets of data with the originals stored on iCloud.
Matching can take place on the original device, second device or in the cloud. Further, the first device may send a digital key to the second device for use in encrypting to-be matched data, which is then bounced back for processing.
Alternatively, two devices can connect and transfer biometric data over local wireless links, like NFC or Bluetooth, using the same key-based encryption. This method is more secure than using iCloud, the Internet and public wireless access points. Apple points out that ad-hoc connections also skirt governmental restrictions against sharing personal biometric data over shared computing networks.
Applied to a real life scenario, the patent describes an interesting use case involving mobile-based purchases much like the touchless Apple Pay digital wallet found in the iPhone 6 and 6 Plus. In this scenario, the second device in the system would be a point of sale terminal equipped with a touchscreen, speaker and fingerprint sensor.
A user's biometric data is sensed and matched in a process similar to previously discussed embodiments, then used to validate a purchase. The document failed to go into detail, but the method would presumably be triggered from a user device through NFC or other secure protocol. As noted, the POS terminal may not need to download a user's actual fingerprint, instead sending its own to-be matched biometric data to iCloud or a user's iPhone for processing.
While convenient, Apple is unlikely to employ such a system before figuring out security holes inherent in wireless computing and cloud storage services. The proposition of storing something as personal as a fingerprint in the cloud is still unnerving, and only made worse by recent high-profile hacks that included an iCloud security breach.
Apple's iCloud-based Touch ID verification system was first filed for in July 2013 and credits former AuthenTec CTO Greg Kerr as its inventor. Apple purchased AuthenTec in 2012 for $356 million, later branding the biometric security firm's technology as Touch ID in the iPhone 5s. Kerr left Apple in February 2013 after helping AuthenTec's engineering teams transition over.