Apple files a new Digital ID System patent that focuses on allowing a user to Share their Credential Information on a Second Device
Prior to Apple introducing Digital ID for Wallet at WWDC 2021, Patently Apple posted at least three patent reports on this project starting in September 2020 (01, 02 and 03). Today the US Patent & Trademark Office published a new patent application from Apple relating to Digital ID titled "Secure Sharing of Credential Information."
Apple's patent covers methods, systems, devices, and computer-readable storage media for provisioning credentials on second user devices using provisioning processes initiated by a first user device.
The credentials may include any suitable information (e.g., payment information for a credit card, unique account identifiers for electronic passes or tickets, etc.) useable to access a resource (e.g., payment funds, entrance to a venue associated with the ticket, access to entertainment at an amusement park, etc.). The credentials may be stored in secure elements on the user devices. A credential once stored in a secure element may be used to conduct contactless transactions (e.g., wireless communication with near field communication devices), which may include payment for goods and services, event and venue access, user identification, and the like.
In a particular use case, a user may purchase, on behalf of a group of friends, electronic passes to an amusement park that includes near-field ticketing and debiting technology. Such technology may enable users to "tap" their mobile devices to reader devices (e.g., conduct a contactless transaction) to enter and exit the park, purchase items within the park, obtain access to rides and shows, etc.
Such technology may require that each user device include its own unique credential that is associated with the user's respective electronic ticket. In this manner, the tickets may uniquely identify each friend in the group.
Using the provisioning system, the user may provision the electronic passes on behalf of her friends. To begin, the user may open, on their user device (e.g., a source user device), a third-party application hosted by the amusement park. Using this application, the user may request "sharing" of the purchased electronic passes with each friend. Once initiated, the source user device generates a provisioning target package and encrypts the provisioning target package using a provisioning certificate chain provided by the provisioning system.
The provisioning target package is encrypted in such a way that only the provisioning system can decrypt the provisioning target package. After encryption using the provisioning certificate chain, the provisioning target package may further be encrypted by a transport service of a messaging system that sends the provisioning target package (e.g., end-to-end encryption). The messaging system may then send, via a messaging application on the source user device, the encrypted provisioning target package target user devices of each of the friends.
Depending on the manner of sharing, the provisioning system or the messaging system may store the provisioning package. Each friend then opens the message and is led through a series of prompts, which includes authenticating his or her account with the provisioning system before the credential is activated on his or her respective device.
Once activated, the friends can use their respective user devices to interact with the near-field ticketing and debiting technology, and because the credentials are unique to the accounts of the friends, the first user is not responsible for purchases of the friends.
The systems, devices, and techniques described provide several technical advantages that improve the security of provisioning credentials and processing transactions using secure credentials, and protect user privacy.
For example, a nonce and a provisioning certificate (e.g., a provisioning certificate chain) are generated by the provisioning system, shared with the source user device, and used to encrypt a provisioning target package by the source user device. When the target user device authenticates with the provisioning system, it provides the nonce back to the provisioning system. The provisioning system is blind to the identity of the target account associated with the target user device until the target user device contacts the provisioning system for authentication and redemption. In this manner, only the intended recipient may authenticate and have the credential provisioned. In some examples, when the provisioning target package is sent only over a messaging system, the target provisioning package may be stored by the messaging system, not within the provision system.
As an additional technical advantage, the techniques described provide a more efficient process for provisioning credentials on remote devices. In particular, this process requires fewer click throughs, page views, data input at data input fields, and the like, as compared to conventional approaches. For example, in at least one example use case, a parent may send a credential to their child's watch and the child may be able to enter an amusement park by tapping their watch to a reader at the park without the child having ever interacted with a provisioning user interface at their watch. In this manner, the credential may be automatically provisioned on the child's watch without any input from the child.
Apple's patent FIG. 1 below illustrates a block diagram 102 and a flowchart showing a process 100 for provisioning credentials for use on user devices.
Apple's patent FIG. 2 below illustrates a block diagram showing an example architecture or system 200 for enabling provisioning of credentials for use on user devices.
Apple's patent FIG. 3 and 6 below illustrates example user interfaces for provisioning credentials for use on user devices.
Apple's patent application number 20210377056 is an in-depth that's perhaps more suited for developer types to explore.
Considering that this is a patent application, the timing of such a product to market is unknown at this time.
Related Digital ID Patent Applications
Three additional patent filings regarding Digital ID were published today by the U.S. Patent Office. The first is titled "Configuring an Account for a Second user Identity." Review patent application 20210374744 for details. The second patent application is titled "Sharing and using Passes or Accounts and the third is titled "Creation of Restricted Mobile Accounts."