The U.S. Patent and Trademark Office on Thursday published an Apple patent application for an iCloud-based fingerprint storage and cross-device syncing solution, a system that could do away with manual Touch ID setup and power next-generation Apple Pay-enabled POS terminals.
As described in Apple's patent application for "Finger biometric sensor data synchronization via a cloud computing device and related methods," fingerprint data may be collected on a first primary device, then uploaded to iCloud for dissemination to secondary devices.
For safety reasons, the invention calls for a commingling of user fingerprint and account verification data, the latter consisting of a unique identifier like an Apple ID and passcode combination.
During initial iPhone setup, for example, iOS may instruct an owner to validate their Apple ID account information before enrolling a fingerprint via Touch ID. The gathered data is then encrypted and uploaded to iCloud. The process may be reversed depending on the implementation, but linking of biometric and account verification data is mandatory.
From there, iCloud can send user-specific data to a second iOS device, such as an iPad, to validate and execute various system operations. To make this work, Apple's system collects a "to-be matched" fingerprint from the second device's Touch ID module, as well as to-be matched account verification data. In one embodiment, downloading of the enrollment fingerprint is contingent on successfully matching both sets of data with the originals stored on iCloud.
Matching can take place on the original device, second device or in the cloud. Further, the first device may send a digital key to the second device for use in encrypting to-be matched data, which is then bounced back for processing.
Alternatively, two devices can connect and transfer biometric data over local wireless links, like NFC or Bluetooth, using the same key-based encryption. This method is more secure than using iCloud, the Internet and public wireless access points. Apple points out that ad-hoc connections also skirt governmental restrictions against sharing personal biometric data over shared computing networks.
Applied to a real life scenario, the patent describes an interesting use case involving mobile-based purchases much like the touchless Apple Pay digital wallet found in the iPhone 6 and 6 Plus. In this scenario, the second device in the system would be a point of sale terminal equipped with a touchscreen, speaker and fingerprint sensor.
A user's biometric data is sensed and matched in a process similar to previously discussed embodiments, then used to validate a purchase. The document failed to go into detail, but the method would presumably be triggered from a user device through NFC or other secure protocol. As noted, the POS terminal may not need to download a user's actual fingerprint, instead sending its own to-be matched biometric data to iCloud or a user's iPhone for processing.
While convenient, Apple is unlikely to employ such a system before figuring out security holes inherent in wireless computing and cloud storage services. The proposition of storing something as personal as a fingerprint in the cloud is still unnerving, and only made worse by recent high-profile hacks that included an iCloud security breach.
Apple's iCloud-based Touch ID verification system was first filed for in July 2013 and credits former AuthenTec CTO Greg Kerr as its inventor. Apple purchased AuthenTec in 2012 for $356 million, later branding the biometric security firm's technology as Touch ID in the iPhone 5s. Kerr left Apple in February 2013 after helping AuthenTec's engineering teams transition over.
19 Comments
Cool. But I still prefer TouchID stored locally. Btw, AuthenTec acquisition is the most important one in a decade. At $356 million, it worths every penny. Until now, no competitor can even catch up with Apple on this.
This patent is scary in the sense that it would weaken the security of Touch ID. The US government would immediately force Appe to secretly share ALL biometric data with it. Apple would have to comply due to national security. The patent shows Apple would have the ability to decrypt biometric data using a key. Apple would know the iPhone's and associated Apple ID accounts the biometric data belonged to. Apple would know the stuff it has repeatedly stated it did not want to know. Scary.
They should never create a single point of failure for hundreds of millions of people. The devices can easily be placed in close proximity so that data can be synced directly from one device to another. But the very idea that the data can be read and written externally is contrary to the whole point of the secure enclave. The data should go from the button to the enclave and that's it with no software reading it or writing it. It might be a pain to keep setting it up but that's the price of security and it only takes a few minutes tops anyway. Still far less than thinking up a password and having to enter it every time.
They should never create a single point of failure for hundreds of millions of people. The devices can easily be placed in close proximity so that data can be synced directly from one device to another. But the very idea that the data can be read and written externally is contrary to the whole point of the secure enclave. The data should go from the button to the enclave and that's it with no software reading it or writing it. It might be a pain to keep setting it up but that's the price of security and it only takes a few minutes tops anyway. Still far less than thinking up a password and having to enter it every time.
maybe they're patenting this so nobody will use it for evil, only good....?
/s
One thing for sure is AuthenTec was one of the best acquisitions Apple has ever made.