FB pixel

Apple granted patent for iCloud-based fingerprint storage and cross-device synching

Categories Biometric R&D  |  Biometrics News  |  Trade Notes

Apple recently announced that the U.S. Patent and Trademark Office has granted its patent application for an iCloud-based fingerprint storage and cross-device syncing solution, a system that could potentially eliminate manually setting up Touch ID and power next-generation Apple Pay-enabled POS terminals, according to a report by Apple Insider.

In the patent application, entitled “Finger biometric sensor data synchronization via a cloud computing device and related methods,” Apple details how fingerprint data may first be gathered on a primary device and uploaded to iCloud to distribute among secondary devices.

As a security measure, the process integrates user fingerprint with account verification data, which is comprised of an Apple ID and password combination.

In the initial setup up of an iPhone 5s or 6, iOS may prompt the user to validate their Apple ID account data before enrolling a fingerprint via Touch ID. It then encrypts and uploads the data to iCloud, a process that may be reversed depending on the implementation.

Once this is set up, iCloud can send user-specific information to a second iOS device to validate and perform different functions.

To ensure that this works, Apple’s system obtains a “to-be matched” fingerprint from the second device’s Touch ID module, along with to-be matched account verification data.

Users can only download the enrollment fingerprint if they have successfully matching sets of data and the originals are stored on iCloud. The process of matching can be executed on the original device, second device or in the cloud.

The patent application also specifies an alternate and more secure option where two devices can connect and transfer biometric data over local wireless links, such as NFC or Bluetooth, using the same key-based encryption.

The patent also outlines a use case scenario involving mobile-based purchases similar to the Apple Pay payment service in which the second device in the system would serve as a point of sale terminal featuring a touchscreen, speaker and fingerprint sensor.

The user’s biometric data is sensed and matched in a manner similar to the above scenario, and is then used to authorize the purchase.

Though the application does not provide any further details, the method would likely be activated from the user’s device through NFC or other secure protocol.

The POS terminal does not necessarily need to download the user’s fingerprint, but instead it can send its own to-be-matched biometric data to iCloud or the user’s iPhone.

Apple will likely further test the method for any security holes that could arise in wireless computing and cloud storage services before completely adopting the system, especially in light of last fall’s hacks that included an iCloud security breach.

The patent was initially filed in July 2013 with former AuthenTec CTO Greg Kerr listed as its inventor. Apple acquired AuthenTec in 2012 and later branded the company’s technology as Touch ID in the iPhone 5s.

Previously reported, Apple announced that the US Patent and Trademark Office has granted the company a series of 48 patents, including a major invention relating to a multimode fingerprint scanner, specifically designed for financial transactions.

Article Topics

 |   |   |   | 

Latest Biometrics News

Comments

22 Replies to “Apple granted patent for iCloud-based fingerprint storage and cross-device synching”

  1. Apple is expected do something about the vulnerability that their Touch ID brings: Biometrics operated with a password in the OR/disjunction way (as in the case of iPhone) offers a lower security than when only the password is used.

    Threats that can be thwarted by biometric products operated together with fallback/backup passwords can be thwarted more securely by passwords only.

    Whether static, behavioral or electromagnetic, biometrics can theoretically be operated together with passwords in two ways, (1) by AND/conjunction or (2) by OR/disjunction. I would appreciate to hear if someone knows of a biometric product operated by (1). The users of such products must have been notified that, when falsely rejected by the biometric sensor with the devices finally locked, they would have to see the device reset.  (It is the same with the biometrics operated without passwords altogether. Only in this case can it be claimed that biometrics are used as an alternative to the password.)

    Biometric products like Apple’s Touch ID are generally operated by (2) so that users can unlock the devices by passwords when falsely rejected by the biometric sensors. This means that the overall vulnerability of the product is the sum of the vulnerability of biometrics (x) and that of a password (y). The sum (x + y – xy) is necessarily larger than the vulnerability of a password (y), say, the devices with Touch ID and other biometric sensors are less secure than the devices protected only by a password.

    What makes us nervous is the possibility of seeing such pictures that many of the consumers, who are trapped in the false sense of security, are piling up their assets and privacy in the cyber space while some of the criminal wolves, who are aware that those consumers are now less safe, are silently waiting for the pig to grow fat.

    It is really worrying to see so many ICT people being indifferent to the difference between AND/conjunction and OR/disjunction when talking about “using two factors together”.

  2. I would agree with Hitoshi Anatomi, thanks for the comment Hitoshi, it make us feel good about the technology we are developing, we have the AND/conjunction approach.

Leave a Reply to daniel_savvyIT Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Research

Biometrics White Papers

Biometrics Events

Explaining Biometrics