The Apple Pay monopoly debate part 1: context is everything

John Gruber did everyone a favor outlining some of the stakes at play in the remarkably glib, “Remarks by Executive Vice-President Vestager on the Statement of Objections sent to Apple over practices regarding Apple Pay.” The objections are annoyingly vague and refuse to specify how Apple Pay stifled competition and innovation:

(The) Digital Markets Act will…require companies designated as gatekeepers to ensure effective interoperability with hardware and software features they use themselves in their ecosystems. This includes access to NFC for mobile payments.

Today’s case addresses a conduct by Apple that has been ongoing since Apple Pay was first rolled out in 2015 <sic, 2014 actually>. This conduct may have distorted competition on the mobile wallets market in Europe. It prevented emergence of new and innovative competition that could have challenged Apple.

Mark Gurman and Jillian Deutsch at Bloomberg also did everybody a favor unmasking PayPal as one of the instigators behind the EU Commission Apple Pay investigation. Yes, that PayPal…the financial service that snuffs out user accounts whose politics they don’t like, or worse just seizes their money.

Both pieces miss important context surrounding the debate however…and with this issue context is all, especially how Apple Pay is playing out in other global markets. Most of what follows I’ve covered in earlier posts but hope to pull the various issues together in one post. Yet again, we kickoff with an updated Apple Pay diagram.

‘Open’ NFC, gatekeepers and secure element wars
Europe has been calling Apple Pay unfair since the very beginning, with many EU member banks holding out as long as they could. German banks only joined Apple Pay in December 2018 when Vestager was already actively seeking Apple Pay complaints. Less than a year later Germany passed a bill to force Apple to ‘open’ their NFC chip. Australian banks tried the same in 2017.

The so called Apple ‘NFC chip’ is not a chip at all but a hardware/software sandwich. The Apple Pay ecosystem described in iOS Security is a collection of tightly integrated polished pieces: Secure Element, Secure Enclave, NFC Controller, Wallet and Apple Pay Servers, all wrapped into a slick, easy to use UI with a final security wall of ‘secure intent’, a double-click side button hot-wired to the Secure Element. This approach has been so successful that people divide mobile payments history into pre-Apple Pay and post-Apple Pay eras.

NFC has been on Android far longer than iPhone, and ‘open NFC’ at that, but is far less successful capturing mobile payment users than Apple Pay. This is because Android device manufactures made the classic mistake of taking the ‘let’s take awesome NFC technology and figure out how we’re going to market it’ approach. Jennifer Bailey’s Apple Pay team choose the hyper focused Steve Jobs approach of starting with the customer experience and building backwards while asking: “what incredible benefits can we give the customer, where can we take the customer?” That choice made all the difference.

Apple Pay has a very simple rule: any card that loads a Java Card applet into their embedded secure element (eSE) has to reside in Wallet app. The maximum number depends on how many Java Card applets it can hold at any one time, the previous limit was 12, the iOS 15 Wallet limit is 16 cards. Developers have two ways to access iPhone NFC: 1) Core NFC framework for NFC operations that don’t use the secure element, 2) Secure Element pass certificates for NFC operations that need secure element transactions (payments, keys, ID, passes). Any developer who wants to run applets in the eSE has to apply for a PassKit NFC/Secure Element Pass Certificate. This is covered by NDA but a company called PassKit (not Apple) gives us an idea what Apple’s Secure Element Pass guidelines are:

Apple care a great deal about the user experience. Before granting NFC certificate access they will ensure that you have the necessary hardware, software and capabilities to develop or deploy an ecosystem that is going to deliver an experience consistent with their guidelines.

The end to end user experience, the whole reason behind the success of Apple Pay. But this gatekeeping is what riles banks and financial service providers who want to load their applets into the secure element without the Apple Pay gatekeeping, without the Apple Pay ecosystem and without the Apple Pay commission. They want to do their own transactions with their own app for free. This is what the EU Commission means when Vestager says: “Evidence on our file indicates that some developers did not go ahead with their plans as they were not able to to (sic) reach iPhone users.” It should read: when they were not able to reach iPhone users for free. Either the developer didn’t apply for a Secure Element Pass, didn’t pass the certification process, balked at Apple’s certification conditions, or couldn’t agree on Apple Pay commission rates.

Secure element gatekeeping is not new, it is an essential part of the secure element system:

A Secure Element (SE) is a microprocessor chip which can store sensitive data and run secure apps such as payment. It acts as a vault, protecting what’s inside the SE (applications and data) from malware attacks that are typical in the host (i.e. the device operating system). Secure Elements handle all sorts of applications that are vital to our modern digital lives…

Mobile Payments
Here, the Secure Element securely stores card/cardholder data and manages the reading of encrypted data. During a payment transaction it acts like a contactless payment card using industry standard technology to help authorize a transaction. The Secure Element could either be embedded in the phone or embedded in your SIM card.

Lifecycle management
It’s crucial that SE-embedded devices are secure throughout their lifecycle. That’s why Secure Elements need to have an end-to-end security strategy. It’s no use developing a robust security solution for a device which becomes obsolete after a period of use. This is why Secured Elements can be updated continuously to counter new threats.

What is a secure element?

Few people, especially a PayPal or EU Commission vice president, discuss the crucial secure element lifecycle management aspect. It’s not convenient for them to say the secure element ‘gatekeeper’ is responsible for keeping it secure. Far more convenient for their arguments to omit this, portray gatekeeping as unnecessary and gatekeepers as evil. In the end however, Apple has to maintain secure element updates from the various licensed secure element providers (EMV,FeliCa Networks, MIFARE, and so on) if secure payments are going to work at all This is what people who say, ‘it’s my device, we should be able to use NFC how we want,’ do not understand.

People also forget that nothing is free, you get what you pay for. With Apple Pay as gatekeeper, users get simplicity, innovation and feature updates. Simplicity: users get NFC they can use out of the box without Android-like NFC complexity such as secure element positions and obscure express mode settings.

Innovation: Apple Pay has features like Global NFC. iPhone and Apple Watch are the only smart devices that come with FeliCa built in as standard to use in Hong Kong or Japan, while Android limits functionality by market region. It’s astounding that Android, not even Google Pixel Android, has matched this basic functionality yet. We’re seeing more innovation as Ultra Wide Band (UWB) extends Wallet functionality to include ‘Touchless’ car keys and eventually, UWB enhanced automatic card selection as you approach the reader; more helpful than you might think.

Feature updates that, ‘just work’: the recent seamless Apple Cash switch from Discover to VISA, PBOC 2.0 flavored China T-Union transit cards, MIFARE Student ID, or the addition of in-app purchases and dual mode NFC for Japanese VISA card users when VISA JP finally buried the hatchet with Apple.

And the lesson? Apple Pay changed everything in the Japanese payments market, a catalyst that opened up competition and payment choices, for everybody. All boats rose together. It’s one of the most vibrant payment markets that Apple Pay operates in.

Japan is key to understanding what’s really going on in the Apple Pay monopoly debate. Japan was the first market with an established mobile payment platform in place, long before mobile EMV contactless payments took off in Europe. iPhone also has a much larger marketshare in Japan than it does in Europe. It’s a shame people pass up the opportunity to learn from the successes and failures here.

So what’s the EU Committee vision for ‘open NFC’? I think it’s a rehash of the secure element wars when carriers locked mobile payment services to SIM contracts. In 2013 Google incorporated SimplyTapp HCE (Host Card Emulation ‘secure element in the cloud’) technology as a NFC ‘workaround’ to ‘free’ NFC from the evil clutches of mobile carriers. Sound familiar? Android NFC has never been right since.

How little things change, swap ‘evil mobile carriers’ for ‘evil Apple’ and you have the same self serving ‘open’ vs ‘closed’ NFC chip nonsense that people are debating today. FeliCa Dude, the ultimate industry insider who has experienced it all, said it best: ‘It’s all eSE or nothing now.’

And yet we now have Île-de-France Mobilités (IDFM) turning back the clock, circumventing the eSE on NFC equipped Android devices and going all in with HCE for IDFM’s Smart Navigo service for Android. To me this says all you need to know what European priorities are regarding the ‘open NFC’ model: eliminate eSE gatekeepers by forcing the less secure network dependent HCE as a required option. Good luck with that. From a transit perspective, based on Mobile Suica user experiences, I don’t think HCE Smart Navigo will be a smooth ride.

The EU Committee ‘open NFC’ vision might look ideal…to Apple Pay competitors. Regular users however, will have to deal with the ugly reality of multiple NFC apps, multiple NFC secure element modes and clashing updates that cancel out NFC services. Apple Silicon eSE space is limited to 16 cards. If that sounds like a lot now, wait until you have credit cards, transit cards, home, car and office keys and ID installed along with ‘open’ NFC apps wanting their own eSE space too. Services will be squeezed out forcing the user to intervene. If the EU Committee thinks this environment fosters competition and innovation while growing mobile payment use, dream on.

Japanese tech journalist Junya Suzuki has covered NFC mobile payment developments in Europe, America and Japan for over 2 decades. He doesn’t think the EU is playing an even hand here, in his opinion Samsung and Huawei would never face the scrutiny that Apple now faces. In typical European cultural fashion, EU motives pay lip service to fair open markets while playing an underhanded game of chess to make Apple do what EU banking interests want Apple to do. In other words, a double standard.

What does Apple need to do?
I’ve always said that Apple needs to make the Secure Element Pass application process as transparent as possible. Keeping the blackbox NDA process as it is now makes Apple Pay a target, increasingly difficult to defend the status quo. Secure Element access on the level of Core NFC is a long shot, the very definition of a secure element means there has to be a developer certification process similar to EMVCo, FeliCa Networks, MIFARE, Calypso Networks Association, etc., that protects the privacy and business interests of all parties. But it would be great if there is a middle way where Apple can securely open things up for iPhone as a digital wallet, and iPhone as a payment terminal. We’ll see if Apple has anything to say about the subject at WWDC22.


Part 2: the gatekeeper difference

Recommended reading: Ruimin Yang’s wonderful overview, “Apple Pay monopoly, are we really comparing ‘Apples’ with ‘Apples?” examines the Apple Pay system architecture, how it compares to other digital wallet platforms, (Google Pay, Samsung Pay) and what ‘open vs closed’ means in the ‘Apple Pay is a monopoly’ debate.

Dealing with a lost Wallet

Yusuke Sakakura writes:

As usual, I tried to get on the train using Apple Pay Suica at the ticket gate, but it didn’t respond at all and I got stuck. At first I thought it was because I was wearing a thick coat, so I held it up again, but there was no response … When I checked the Wallet app, all the credit cards and Suica were gone.

It sounds like he was using Suica on Apple Watch. Sakakura goes on to helpfully explain what can cause this and how to get your Wallet cards back. The most common cause for a lost Wallet is signing out of Apple ID. Another cause is turning off the passcode. As he points out, the notification warning when signing out of Apple ID or turning off the passcode is vague, it doesn’t specially say you are about wipe your credit cards and Suica from iPhone. Some users are not fully aware of the consequences and proceed, only to be rudely surprised when they find Wallet is empty.

In all cases it is easy to restore a lost Wallet. Sign-in to Apple ID, set a passcode, go to Wallet, tap + , tap Previous Card and re-add the listed cards. Suica is easier to re-add as there are no terms and conditions or security code steps involved. As always make sure iPhone has a robust network connection when adding Wallet cards.

Another issue to be aware of with Suica and PASMO is Express Mode deactivation without realizing it. This happens when iPhone Face ID has 5 false reads (easy to do when wearing a face mask), when Apple Watch is off the wrist, or when the iPhone side buttons are inadvertently pressed in a snug fitting pocket (often aggravated by the phone case).

One oddity I have encountered using Apple Pay Suica on Apple Watch is wrist band fit. Apple Pay Suica on Apple Watch works fine at the transit gate under layers of winter cloths but Express Transit is sometimes deactivated with a looser fitting band. I like wearing the braided sports loop but it tends to stretch over time and become loose compared with the snug fitting solo loop. On a recent trip I had to constantly enter the Apple Watch passcode as my winter coat sleeve layers pulled the loose fitting braided sport loop enough to fool wrist detection. From here on I’m sticking with cheaper, more reliable solo loop which never has this problem.

Here are some guides dealing with re-adding Suica and PASMO:

Transfer to a another device
Restore from a lost or wiped device
Safely remove Suica or PASMO

Secrets of iOS 15 Apple Wallet

iOS 15 Wallet is deceptive. The first impression out of the box is that nothing has changed much. It looks the same, it works the same. It doesn’t help that many of the new features won’t come until later in the iOS 15 life cycle and will be limited to certain users and regions. ID in Wallet for example is only due to launch in eight American states ‘late 2021’. Wallet keys for home only work on A12 Bionic iPhone XS and later while office and hotel key “device requirements may vary by hotel and workplace.” In Japan the iOS 15 Wallet feature section is missing altogether. The fine print reads like Apple is giving itself the biggest set of loophole opt outs ever, as if to say, ‘sorry, better luck later on.’

This is because Wallet key and ID cards are exactly like the Apple Pay launch in 2014 when the contactless payment infrastructure in America at the time was way behind Europe and Japan. The contactless transition has been bumpy, uneven and continues to plod along while stores have been slow getting their act together. Early Apple Pay adopters grew accustomed to hearing that classic gag line at checkout when things didn’t work right: “you’re holding it wrong.”

Wallet keys and ID will see a gradual measured uptake just like Apple Pay payment and transit cards. But unlike payment cards and transit cards, the reader infrastructure side of the equation for digital keys and ID cards is only just beginning. For some people it may be years before they have the opportunity to use digital key with their car, home or apartment. The initial use for Wallet ID, TSA security checks for domestic US air travel, represents only a small subset of a much wider future potential. How long will it be before state government services are fully equipped to read their own digital issue ID? And what about in-app ID checks, there’s huge but undeveloped potential there too.

Apple is leading the digital wallet transition for keys and ID as they did for payments when Apple Pay launched in 2014. Sure, there are others already doing it on a limited scale and Apple may be late to the party, but because Apple takes the time to make complex things easy to use and get it right, eventually it’s everywhere. Even without keys and ID, iOS 15 Wallet offers some deeply useful UI improvements that will remove a lot of frustration for all Wallet users. Let’s take a look.


New Add to Wallet UI
The new Add to Wallet screen with card categories is the gateway to new iOS Wallet features, it also solves long standing UI problems that confused users for adding transit cards. The main categories:

  • Debit or Credit Card
    Add debit/credit, the same process we’ve had all along.
  • Transit Card
    The add Transit Card category is new and lists all available transit cards that support direct Wallet card add and Apple Pay recharge. Transit cards that can only be added and recharged via an app such as Portland HOP and Chicago Ventra are not included. Some transit cards on the list are somewhat deceptive. Hong Kong Octopus and China T-Union cards cannot be added without certain locally issued credit/debit cards but you only get the warning message at the very end of the addition process that aborts it. The only transit cards that anybody from anywhere can add to Wallet are: Suica, PASMO, SmarTrip, Clipper and TAP.
  • Previous Cards
    Previous Cards is a new category that appears only when needed. It shows cards, keys and passes that are attached to the user Apple ID but are not currently in Wallet.

The region-free Wallet
These seemly mundane UI tweaks are much bigger than they look. Before iOS 15, Wallet did not make a clear distinction between first time card issue (adding a card) and re-adding previous cards that were already attached to the user’s Apple ID. Adding cards to Wallet was also region dependent, that is to say users had to set the iPhone region to match the issuer region to add those cards. This has been a real pain for transit cards: Japan to add Suica, Hong Kong to add Octopus, America to add SmarTrip, Clipper or TAP.

Changing the device region is easy to do, but it’s not intuitive at all and bewildered users. It’s not uncommon for people to think that changing the region messes up the Apple Pay cards they already have making them unusable, or that a certain region setting is required to use a particular card.

Neither is true, but region-dependent Wallet was a big source of confusion that kept people from using great Wallet features and caused support problems, especially for transit card users. Do a Suica search on Apple Support Communities. The number one support issue is: I lost my Suica card, how do I get it back in Wallet?

The new UI fixes this problem by making a clear distinction between removing Wallet cards vs. deleting them. Wallet has a simple rule: removing a card added in Wallet does not delete the card but stores then on iCloud. Cards added in Wallet and keys are hooked into the user’s Apple ID. This is easy to see in Suica App which displays the unique Apple ID/Apple Pay identifier for each Suica card.

The pain point was the inability to see what cards were still attached to their Apple ID sitting on the Apple Pay iCloud server when not in Wallet. Most people assume a card not is Wallet is lost forever, the classic ‘I lost my Suica’ problem described above. This happened all the time in pre-iOS 15 Wallet when the user signed out of Apple ID without realizing it or migrated to a new iPhone without doing Wallet housecleaning on the old device. Removed cards were always parked safely in iCloud but there was no easy way to see them. With Previous Cards and region-free Wallet, you always know where to find your Wallet cards.

Knowing exactly where your Wallet cards are, in Wallet or parked on the server, and how to really truly delete them from the cloud, makes using Apple Pay easier. When users understand that Apple Pay has their back, they trust and use it more. Trust is far more important than technology.

From now on the new rules are: removing a card only removes it from Wallet. Only the extra step of removing a credit/debit card from Previous Cards removes it completely from Apple ID. Stored value cards like Suica can only be deleted with the card issuer app.


ID in Wallet

iOS 15 devices
watchOS 8 devices
Launch states: Arizona, Georgia, Iowa, Kentucky, Maryland, Oklahoma, Utah

ID in Wallet is the biggest new iOS 15 Wallet feature, important enough that Apple announced details and launch states before the September Apple Event, which is unusual for a feature due late 2021 March 2022. The press release clearly explains (but does not show) the exact process for adding and using an ID, and the some security details behind it. Carefully crafted screen images clearly illustrate that ID in Wallet does not show detailed personal information, not even a full name, only the ID elements that will be transmitted by NFC to the TSA reader. Like Apple Pay, users do not need to unlock, show, or hand over their device to present their ID, they simply authorize and hold to the reader.

ID Security and Privacy
It looks slick but there are lots of interesting things Apple has not shown yet, like the actual adding process, that will certainly be highlighted at the September Event. Apple is advertising high level security and privacy for ID in Wallet but there are device distinctions security concerned users will want to know about, specifically Secure Intent.

Secure intent, in a very loose sense, is the user action of confirming ‘yes I want this transaction to proceed’ by double pressing a button (Face ID and Apple Watch) or a long press (Touch ID). But there are important differences: by Apple’s official definition, Face ID iPhone and Apple Watch are secure intent devices, Touch ID iPhone is not.

Secure intent provides a way to confirm a user’s intent without any interaction with the operating system or Application Processor. The connection is a physical link—from a physical button to the Secure Enclave…With this link, users can confirm their intent to complete an operation in a way designed such that even software running with root privileges or in the kernel can’t spoof…A double-press on the appropriate button when prompted by the user interface signals confirmation of user intent.

The most secure ID in Wallet secure intent transaction is a double press button authorization action that tells the secure enclave, where your biometrics are stored, to release authentication to the secure element, where your ID credentials are stored, for the transaction magic take place. Apple: “Only after authorizing with Face ID or Touch ID is the requested identity information released from their device, which ensures that just the required information is shared and only the person who added the driver’s license or state ID to the device can present it.” There is no Express Mode for ID card nor would you want there to be.

There is another aspect to consider, one that Apple certainly won’t divulge: who manages and runs the backend centralized mobile ID issue service that plugs into Apple Pay servers. The direct in Wallet ID card add process demonstrates a high level of integration: “Similar to how customers add new credit cards and transit passes to Wallet today, they can simply tap the + button at the top of the screen in Wallet on their iPhone to begin adding their license or ID.”

We can get an idea of what’s involved on the ID backend from the Japanese Ministry of Internal Affairs and Communications (MIC) English PDF document: First Summary Toward the Realization of Electronic Certificates for Smartphones with a diagram of the digital ID system architecture for the Individual Number Card (My Number). MIC are in discussions with Apple to bring the digital My Number ID to Wallet. The Android version is set to launch in 2022.

There has to be a partner service company that sub-contracts mobile ID issue services to participating state governments…somebody that does the heavy lifting of linking various state database servers to provide a centralized card issuing service so that Apple can provide a seamless ID add card experience. But it must be an independent entity that can provide the same set of backend ID issue services to other digital wallet platforms (Google Pay, Samsung Pay, etc.) at some point. Because if it is not an independent entity providing those services, Apple is inviting more claims that Apple Pay is a monopoly. It’s a mystery worth digging into. Nevertheless, Apple is paving the way by integrating ID issue directly in Wallet that eliminates crappy 3rd party apps. It’s a huge effort that hopefully makes digital ID easy, practical and widely used.


Digital Keys and Power Reserve Express Mode
Home, office and hotel keys are the first new iOS 15 Wallet feature on launch day. Where is the Add to Wallet Key Card category? There isn’t one. Keys are slightly different and cannot be added (issued for the first time) to Wallet directly because the mobile key issuing company has to confirm user identity before giving the key. The most common way to add keys for the first time is with an app. From the Apple car key support page:

Open the car manufacturer’s app and follow the instructions to set up a key…Depending on your vehicle, you might be able to add car keys from a link that your car maker sends to you in an email or text message, or by following steps on your car’s information display.

Keys removed from Wallet can be re-added quickly via Previous Cards. According to the iOS 15 and watchOS preview page, keys appear to come in 2 basic varieties, sharable and un-sharable, device specs are different depending on the type of key.

  • Sharable keys
    • Car keys with Ultra Wideband
    • iPhones and Apple Watches equipped with U1 chip (iPhone 11 • Apple Watch 6 and later)

    • Car keys (NFC)
    • Home keys
    • iPhone XS • Apple Watch 5 and later
  • Un-sharable keys
    • Office key
    • Hotel key
    • Device requirements may vary by hotel and workplace

All keys work in Express Mode as keys, unlike ID, require Express Mode to be useful. iPhone XS with A12 Bionic powered NFC supports Express Mode Power Reserve, a huge performance difference from previous Apple Silicon. The extra 5 hours of power reserve key access with a drained iPhone battery are crucial and it’s understandable why Apple set iPhone XS as the base iPhone for using car and home keys.

There might be conditions for office and hotel keys depending on the key issuer. In Japan for example iPhone 6s, iPhone 6s Plus, iPhone SE (1st generation) cannot be used for FeliCa based key access, hence the ‘device requirements may vary’ tag.

One more issue here is that mobile key issue is a complex process for hotels, and one assumes offices as well, one that usually requires an app with an account to securely issue a mobile key with set limitations (time, area, etc.).

It’s important to note that issuing digital keys is only one step of the complex process that allows guests to bypass the front desk. Apple’s announcement certainly does not spell the end of the hotel app as we know it…

It’s a big step toward streamlining a process that has, until this point, prevented many guests from using their phone as a digital room key. But, Wallet only solves one segment of the end-to-end operation required to get a guest checked in and room access issued. The bigger issue is connecting identity with access, which requires many more steps beyond issuing a key.

How Apple’s Newest Features Will Affect Hotel Check-in

Hyatt Hotel launched Room Keys in Apple Wallet in limited locations on December 8 (video). There are a few interesting requirements and other bits. (1) Bingo…reservations must be made in World of Hyatt app and can only be shared with one more device with the same Hyatt account, (2) Room key activated in Apple Wallet after checkin and room assignment, (3) hotel updates or deactivates room key in Wallet remotely, (4) Room key in Apple Wallet is never shared with Apple or stored on Apple servers, (5) The World of Hyatt app is run by ASSA ABLOY Vostio Access Management cloud-based solution. The word ‘sharing’ is never mentioned in the Hyatt announcement or ASSA ABLOY Vostio Access literature. No word what protocol is used but you might remember that ASSA ABLOY and Blackboard use MIFARE for Student ID.

Pairing an identity with access is the core difficulty dealing with digital key issue, sharing keys on different devices is a particularly thorny problem. If I had a crystal ball to read, I might see a future where your ID in Wallet is the only confirmation necessary to add a key directly in Wallet with an email link, no apps. It would be nice if things evolved that way over time. Perhaps that is one of Apple’s long term goals for releasing home-hotel-office keys and ID in the same iOS 15 product cycle.

Wallet expansion and housekeeping
The last improvement is that iOS 15 Wallet now holds up to 16 cards. The previous official limit was 12 cards (8 cards for pre-A11 iPhone), though Apple hasn’t mentioned the new limit in any support pages. If you have trouble adding more than 12, remove one taking the total down to 11 cards, then add more cards up to the new limit. The limit is defined as cards that use the secure element for transactions: payment cards, transit cards, keys, and ID. Passes don’t count and used passes are automatically cleared and stored in the new archived passes category. One hopes Wallet will do similar housekeeping for expired hotel keys in a later iOS 15 update.

The expansion seems trivial but 4 more parking spaces in Wallet garage is a godsend not only for card otaku but also for regular users who already have lots of payment and transit cards, it’s easy to hit the limit. The housekeeping changes are appropriate and timely, going forward we’ll all be adding car, home, office, and hotel keys along with our driver’s license to an ever growing Wallet.

UPDATE
An earlier edit of this post incorrectly stated that watchOS 8 Wallet did not support hotel and office keys (they were not listed on Apple’s watchOS 8 preview page but mentioned on a separate PR release). Apple PR reached out regarding the error and has been corrected.

Last updated 2021-12-09 (added Hyatt Hotel Wallet key beta test announcement)

Suica Smart-Lock service announced for December launch

JR East announced the Suica Smart-Lock service for a December launch. The service is a co-venture that incorporates JREM who provide the cloud based ID-Port technology and ART, an access system provider using FeliCa and MIFARE NFC technologies and lock provider/partner ALLIGATE. A Suica card (physical and mobile) can be registered online as a key and might utilize the ‘Super Suica’ FeliCa Secure ID cloud centric feature found in next generation FeliCa with JR East providing the backend authentication service. The Suica Smart-Lock site lists apartment buildings, hotels, company building access, parking lot and elevator use as end user scenarios.

The streamlined cloud aspect is being marketed as a cost saver: hosts don’t need to setup a key server or issue cards. The user simply registers their Suica ID number online but the ID number is not used for access, the unlocking part is done with secure mutual authentication. Management sets the key privileges or guest access. Other transit IC cards can be registered as a key but the press announcement fine print suggests some limitations with non-Suica cards (i.e. only Suica and PASMO are on mobile devices).

Mobile Suica support is shown extensively in the web images and the watch images strongly suggest Apple Watch which is the only wearable device, so far, that fully supports all Mobile Suica features. Another interesting aspect is that Apple’s iOS 15 Japanese language preview page only shows Wallet digital key support as a new feature. I think it’s safe to assume that Apple Pay Suica Express Transit support will be there with Suica Smart-Lock in December. The question is will there be a separate iOS 15 Wallet digital key version for people who only need the Suica Smart-Lock digital key function? Suica and transit IC cards are already used by some access solutions but key management and cost have kept them from wide deployment.

The Japanese iOS 15 preview site only shows digital keys for Wallet
Wallet digital key partners announced at WWDC21

iOS 15 Apple Pay Wallet preview: the Express Mode difference

Express Transit Suica ruins the Apple Pay experience for using anything else. You want Apple Pay to work that way everywhere but it doesn’t. Most of the time we trudge along using Apple Pay Wallet with face mask Face ID authorization, although the Apple Pay experience on Apple Watch is a big improvement as well as being a trusted device for secure intent.

iPhone users in America are finally getting a taste of Express Transit en masse with the 2020 rollouts of Apple Pay for SmarTrip, TAP, Ventra and Clipper. Apple recently rebranded Express Transit as Express Mode on their new Wallet webpage (in Japanese it’s called Express Card). The branding change may seem trivial but it has bigger implications for first time users of new Wallet services in iOS 15, Express Mode goes places that Express Transit cannot: digital keys and digital ID.

These functions are not new of course, Express Transit cards and Student ID cards have been opening transit gates and doors these past few years. But Express Mode is for everyone and personal: your keys and badge to unlock your home door, unlock and start your car and get you into the office. With these refinements and additions it’s safe to say that iOS 15 Wallet finally delivers the digital wallet dream people have been talking about since 2010. Wallet can replace your wallet.

What’s new
Last year I covered ‘coming soon’ Ultra Wideband Touchless and Code Payment (codeword Aquaman) Wallet developments. The Code Payments feature is still waiting in the wings. Steve Moser kindly confirmed that Aquaman code references are alive and well in iOS 15 with minor changes but this post will focus on announced features. In the WWDC21 Keynote Apple Pay section Jennifer Bailey announced keys and ID. The Wallet features you get from the ones listed on the iOS 15 preview page depend on the device:

Car keys with Ultra Wideband support (shareable)
iPhones and Apple Watches equipped with U1 chip* (iPhone 11 and later, Apple Watch 6)

Car keys without Ultra Wideband support (sharable)
Home keys (shareable)

iPhone XS • Apple Watch 5 and later*

Office key
Hotel key

Device requirements may vary by hotel and workplace.”

ID in Wallet
iOS 15 devices
watchOS 8 devices (the fine print: Not all features are available on all devices)

None of the new features will be available when iOS 15 launches. Expect them with the iOS 15.1 update or later. NFC Car keys launched on iOS 13 and iOS 14 in 2020.

The A12 Bionic • iPhone XS and later requirement for Wallet keys is easy to understand: Express Cards with power reserve. A12 Bionic (and later) powered NFC bypasses the iOS overhead with a direct connection to the secure element. It is vital that people can unlock car and home doors even when their iPhone battery is out of juice. Up to 5 hours of power reserve makes a huge difference, but only for iPhone. *Apple Watch supports Express Mode but not power reserve.

The bigger story is UWB because it is new technology that works with the Secure Element to create a whole new experience. Up to now the Secure Element was exclusively NFC. Not anymore, the Car Connection Consortium (CCC) Digital Key 3.0 specification “maintains support for NFC technology as a mandatory back-up solution.” Digital car key is first and foremost a UWB solution with NFC relegated to the back seat.

UWB connectivity adds hands-free, location-aware keyless access and location-aware features for an improved user-friendly experience…

3.0 addresses security and usability by authenticating the Digital Key between a vehicle and the mobile device over Bluetooth Low Energy and then establishing a secure ranging session with UWB, which allows the vehicle to perform secure and accurate distance measurement to localize the mobile device.

Car Connectivity Consortium Delivers Digital Key Release 3.0 Specification

NTT Docomo and Sony demonstrated UWB car keys in action last January running on Android Osaifu Keitai hardware. Sony (FeliCa) and NXP (MIFARE and UWB chipsets) have worked closely to extend both FeliCa and MIFARE into the UWB Touchless era. The CCC Digital Key specification is open to any Secure Element provider. UWB + Bluetooth Low Energy (BLE) is simply another radio communication layer in addition to NFC.

Diagram from Car Connectivity Consortium (CCR) Digital Key 2.0 White Paper, the recently released 3.0 spec adds UWB
Mobile FeliCa UWB Touchless diagram from NTT Docomo, NXP MIFARE works exactly the same way

This is significant as it opens up UWB to anything that currently uses the Secure Element and NFC. Apple has not spelled it out but suggest UWB might work with Home keys and there is no reason UWB cannot work with all keys, transit cards and Student ID. The WWDC2021 session video Explore UWB-based car keys is a great introduction and highly recommended viewing if you have any interest in the subject. The session is a bit unusual in that the discussion covers RF hardware and performance design more than software. It feels like the target audience is car manufacturers. There is a lot of detail to get lost in but here are some simple but essential points:

Secure Element improvements: the SE has always used unique keys for mutual authentication, this has been extended with ranging key deviation

Secure communication at a distance: UWB and BLE identifier randomization with secure ranging is an important security feature as UWB Touchless works over much greater distances than NFC reader tapping

Zones: the precise motion and positioning tracking of a paired UWB device with a unique key allows for ‘passive entry’ action zones, walking towards the car unlocks it, walking away locks it, etc. without any other user interaction

RF transceiver and antenna system design: is a deep and difficult art that echos the Suica creation story

JR East (Suica) and Hong Kong MTR (Octopus) have both said they are developing transit gates that incorporate UWB. This makes sense as Mobile FeliCa is now UWB savvy but after watching the WWDC21 session video I can only marvel at the complexity of the big picture because UWB is about mapping and using space and movement to perform an operation.

The engineers face countless problems and challenges to juggle in their quest to build a transit gate that delivers the same FeliCa NFC speed and reliability with UWB…at rush hour. They have to consider radiation patters, system latency and processing power, localization algorithms and much more. If they achieve their stated goal, 2023 could be a very interesting year for transit.

ID in Wallet
Lots of people are excited about the possibility of adding a digital driver’s license to Wallet but as 9to5 Mac’s Chance Miller wrote, we don’t know much about about it at this point. Actually in Japan we do. The Ministry of Internal Affairs and Communications (MIC) released an English PDF: First Summary Toward the Realization of Electronic Certificates for Smartphones with a diagram that explains their digital ID system architecture. MIC remarked back in November 2020 that they are in discussions with Apple to bring the digital My Number ID card architecture to Wallet. The Android version is due to launch in 2023 and will likely employ the Mobile FeliCa Multiple Secure Element domain feature described by FeliCa Dude (FeliCa using NFC-B instead of NFC-F). A similar basic architecture with different protocols and issue process will undoubtedly be used for adding digital drivers licenses.

The Privacy question
I’ll be very interested to see how ID launches in America this fall. Which outside partner company or companies are providing the service to participating states and running the backend? I suspect it will be something similar to Student ID with Blackboard running the service for participating universities. The biggest security question in my mind is who besides the TSA will use ID in Wallet, and more importantly, how? Some governments and transit agencies are pushing face recognition as a convenience in addition to security. My preference will always be for having my ID on my own Secure Element rather than somebody’s cloud server, an ID that I authorize with my own secure intent.

Wallet UI and usability improvements
Wallet App didn’t get the makeover that some users asked for, but there are are a few small improvements. Up to 16 cards can be added in iOS 15, up from 12 in iOS 14. Archived passes and multiple-pass downloads help make Wallet more useable and remove some housekeeping drudgery.

I finally got two WWDC19 Apple Pay Wallet wishes granted: (1) dynamic Wallet cards and (2) region free transit cards. Apple Card does UI things in Wallet no other card is allowed to do. As far as I know this first changed with Disney’s MagicMobile launch on iPhone, Jennifer Bailey calls them “magical moments when you tap to enter.” There are similar low-key card animations in Home key and ID cards. It’s a very small step but I hope Apple adds more over time than just sprinkling seasoning card animations. Done wisely, dynamic cards could improve Wallet usability that convey important card status and account information.

Wallet card animations are slowly making their way into the picture, but will they ever be more than silly pretty fun?

Region free transit cards means that users no longer have to change the iPhone • Apple Watch region setting to add a transit card. In iOS 15 Wallet you get the full list regardless of the region setting. It’s not perfect but it is less confusing than adding a transit card in iOS 14.

Summary
The overall reaction to iOS 15 has been somewhat muted but there are lots of new details. Apple Pay Wallet additions for home keys, office key, hotel key and ID build on technologies that have been on the Apple Pay platform for some time but Apple is leveraging them in new ways.

The unveiling of UWB Touchless is important and cutting edge, that might revolutionize secure transactions. The next step not only for car keys but for transit and other services that up to now have been limited to NFC. And this time, unlike NFC, Apple is leading the way for UWB.

The bottom line is that UWB opens up a lot of possibilities for many current NFC based solutions. Expect UWB Touchless support for Wallet cards in the near future that use Express Mode in new ways, and new UWB based features for a much smarter Wallet.


UWB Gallery
Screenshots from the Explore UWB-based car keys session video

Zones
Zones are is one of the exciting aspects of UWB Touchless, where functions are triggered by the simple act of walking towards or away from the car. It will be interesting to see how this is applied to UWB Touchless transit gates.

Space and movement: the UWB process

Last but not least, Power Reserve mode now supports Find My Network