Apple wins a patent for the use of a Dual Biometric System for purchases, especially at point-of-sale terminals having an NFC reader
Today the U.S. Patent and Trademark Office officially granted Apple a patent that generally relates to user authentication, and, more specifically, to computing devices that collect biometric data. More specifically, Apple describes the use of a 2-step biometric authentication system that includes both Face and Touch ID to confirm a payment transaction. The button for Touch ID could end up looking like the one used for the iPad Air or a Touch ID button on a point-of-sale terminal that would act as purchase confirmation.
In some instances, a computing device may be able to perform an authentication of a user that includes collecting particular types of biometric data that can be collected without an explicit authorization from the user. For example, it may not be possible to collect fingerprint biometric data without a user's expressed intent as a user may need to willingly present a finger to a fingerprint sensor in order for the data to be collected; however, facial biometric data may be collected from a user merely because a user is seated in front of a camera of the device. This can be problematic if a user is being authenticated to perform some action, but does not actually want that action performed. For example, if a computing device were configured to provide payment information to a merchant in response to an authentication, it may be possible to collect facial biometric data from a user and successfully authenticate a user even though the user did not authorize providing the payment information.
Apple’s granted patent describes embodiments in which a computing device performs an authentication based on, not only biometric data collected from a user, but also an additional factor indicative that a user has authorized performance of the authentication.
The patent describes in various embodiments, a computing device that includes a button coupled to a controller circuit that detects when a mechanical input is received at the button from the user. If an authentication is being performed, a camera of the computing device may collect biometric data from a face of the user and supply it to a secure circuit that compares the collected biometric data against previous collected biometric data of an authorized user. In such an embodiment, the secure circuit authenticates the user based on the biometric-data comparison and a notification from a button controller indicating that the button has been pressed. That is, even if a match was identified by the comparison, the secure circuit would still indicate that the authentication failed if the notification was not received (or not received within a particular time window of the authentication being performed). Authenticating a user in this manner may be advantageous as it may prevent a user from being authenticated to perform an action that the user did not wish to have performed.
In some embodiments, the use of a physical button for receiving a mechanical input may also provide additional security as merely presenting a prompt via a graphical user interface can be vulnerable to a malicious actor having remote access to the computing device.
Still further, in some embodiments, the button controller and the secure circuit communicate via a secure communication channel in order to prevent the spoofing of an expressed intent to perform the authentication. In this way, if a processor running an application that requested the authentication became compromised due to malicious software, it may be incapable of sending a spoofed notification indicating the user's authorization to the secure circuit.
Apple’s patent FIG. 1 below is a block diagram illustrating an example of a computing device that authenticates a user based on two forms of biometric data.
In patent FIG. 5B above we see a communication diagram of an example authentication process 500B. In the illustrated embodiment, the process is performed to send payment information from secure element #400 to external system #190, which, in some embodiments, may be a point-of-sale terminal having an NFC reader.
Apple’s patent FIG. 6A above is a flow diagram illustrating a method for authenticating a user with Face and Touch ID.
For more details, review Apple's granted patent 11,354,390 titled “Biometric authentication with user input.”