Apple Watch wrist sensors could increase security by scanning veins in the wearer's wrist
Future versions of the Apple Watch could authenticate the wearer's identity by scanning elements under the skin of a user's wrist, a biometric security feature that could eliminate the need for owners to enter a security code each time they put on the wearable device.
The rear sensor of a Nike+ Apple Watch Series 4
The Apple Watch is the only mobile device Apple produces that does not offer biometric security, with the wearable timepiece requiring a user to enter a PIN on the display to unlock it. The PIN has to be entered each time the Apple Watch is being accessed while not worn, as well as to unlock it for the first instance of accessing its functionality once placed on the wrist, but it won't ask for the code again until it detects it is no longer on the person's arm and in contact with the skin.
While the PIN does offer some security, it only does so with a one-in-10,000 chance of being unlocked by users trying at random. If the user reuses a PIN they have for other items as security, someone knowing that code elsewhere may also use it on the Apple Watch with a good chance of success.
In a patent application published by the US Patent and Trademark Office on Thursday, Apple's filing for a "Wearable Electronic Device Having a Light Field Camera Usable to Perform Bioauthentication from a Dorsal Side of a Forearm Near a Wrist" offers a suggestion of using imaging at the rear of the Apple Watch to confirm the wearer's identity.
Illustration showing the area of the wrist light field cameras on the back of an Apple Watch could cover
As the title suggests, Apple proposes the use of a light field camera on the back of the Apple Watch, effectively consisting of multiple camera sensors and light emitters. Similar to how the Lytro cameras operate, the sensors would work together to capture enough data that it can form a complete image of a scene that the point of focus can be set to a variety of different settings.
Typically the synthetic focusing would be used with viewable subjects, but in the filing it would not be out in the open. Instead, Apple suggests taking the image while the Apple Watch is in contact with the wrist, in order to capture elements underneath the skin.
The list of features that could be detected for authentication includes patterns for hair follicle openings, vascular patterns, veins, arteries, blood perfusion in the skin and tendons, fascia blood perfusion, tendons, connective tissue, skin pigmentation, small scale folding skin patterns, pores, and bone shapes. One or more elements could potentially be used for authentication.
An exploded view of a biosensor panel that could include light field sensors and other elements
The images, following the synthetic focusing process, would be compared against previously-captured versions that are confirmed to be of the user. If there is enough of a similarity between the two sets of images, the system would confirm an authentication attempt, or otherwise prompt for another type of security check.
While Apple does produce numerous patent filings with the USPTO on a regular basis, it isn't a guarantee that the ideas will make their way into future Apple products and services. They do, however, offer a guide as to areas of the company's interest.
The patent application has some promise, as it would shore up security on the Apple Watch from its current state, potentially making it as secure as Face ID. Crucially, as the check is performed on the wrist, the Apple Watch knows it is the user wearing it and not the correct PIN being used while on a different person's wrist, enabling the Apple Watch to further protect a user's sensitive data.
Sub-dermal security has been explored elsewhere by Apple. A patent application from March 14 put forward the idea of using vein matching technology to scan areas below the skin as part of a Face ID check would further enhance an already quite secure system, enabling it to determine the difference between visually identical twins by simply seeing different vein patterns.
The rear sensor of a Nike+ Apple Watch Series 4
The Apple Watch is the only mobile device Apple produces that does not offer biometric security, with the wearable timepiece requiring a user to enter a PIN on the display to unlock it. The PIN has to be entered each time the Apple Watch is being accessed while not worn, as well as to unlock it for the first instance of accessing its functionality once placed on the wrist, but it won't ask for the code again until it detects it is no longer on the person's arm and in contact with the skin.
While the PIN does offer some security, it only does so with a one-in-10,000 chance of being unlocked by users trying at random. If the user reuses a PIN they have for other items as security, someone knowing that code elsewhere may also use it on the Apple Watch with a good chance of success.
In a patent application published by the US Patent and Trademark Office on Thursday, Apple's filing for a "Wearable Electronic Device Having a Light Field Camera Usable to Perform Bioauthentication from a Dorsal Side of a Forearm Near a Wrist" offers a suggestion of using imaging at the rear of the Apple Watch to confirm the wearer's identity.
Illustration showing the area of the wrist light field cameras on the back of an Apple Watch could cover
As the title suggests, Apple proposes the use of a light field camera on the back of the Apple Watch, effectively consisting of multiple camera sensors and light emitters. Similar to how the Lytro cameras operate, the sensors would work together to capture enough data that it can form a complete image of a scene that the point of focus can be set to a variety of different settings.
Typically the synthetic focusing would be used with viewable subjects, but in the filing it would not be out in the open. Instead, Apple suggests taking the image while the Apple Watch is in contact with the wrist, in order to capture elements underneath the skin.
The list of features that could be detected for authentication includes patterns for hair follicle openings, vascular patterns, veins, arteries, blood perfusion in the skin and tendons, fascia blood perfusion, tendons, connective tissue, skin pigmentation, small scale folding skin patterns, pores, and bone shapes. One or more elements could potentially be used for authentication.
An exploded view of a biosensor panel that could include light field sensors and other elements
The images, following the synthetic focusing process, would be compared against previously-captured versions that are confirmed to be of the user. If there is enough of a similarity between the two sets of images, the system would confirm an authentication attempt, or otherwise prompt for another type of security check.
While Apple does produce numerous patent filings with the USPTO on a regular basis, it isn't a guarantee that the ideas will make their way into future Apple products and services. They do, however, offer a guide as to areas of the company's interest.
The patent application has some promise, as it would shore up security on the Apple Watch from its current state, potentially making it as secure as Face ID. Crucially, as the check is performed on the wrist, the Apple Watch knows it is the user wearing it and not the correct PIN being used while on a different person's wrist, enabling the Apple Watch to further protect a user's sensitive data.
Sub-dermal security has been explored elsewhere by Apple. A patent application from March 14 put forward the idea of using vein matching technology to scan areas below the skin as part of a Face ID check would further enhance an already quite secure system, enabling it to determine the difference between visually identical twins by simply seeing different vein patterns.
Comments
Since a 4-digit PIN will auto-submit—even if you uncheck Simple Passcode In the iPhone Watch app—the minimum length someone could reasonably assume for your Watch PIN is 5-digits, which would give them 100,000 possibilities to try. Knowing nothing else, they'd then have to try 6-digits for 1 million possibilities, then 7-digits for 10 million possibilities, before finally coming to 8-digits for 100 million possibilities.
That's 100 million + 10 million + 1 million + 100,000 for a total of 111,100,000 possibilities for your setup. The maximum is 10-digits for 10,000,000,000 possibilities, or 11,111,100,000 in total if you don't know how many digits are in their PIN.
Well, yours was more secure until you told everyone your PIN is 8-digits.
PS: I'd like Apple to offer more options than a BASE-10 system. Not that I necessary want to type in more characters, but offering more character options means I can type in fewer characters while also having a more secure device. For example, being able to choose from a selection of distinct emoji would allow me to create a story with a few simple pictograms that that are easy to remember but also escalate my password complexity for hackers.
AW requires a pin to unlock, but it can also use the iphone as pass-thru authentication. The discussion and context is on the AW solo, as it is not required to have the iphone on you to operate the AW, especially so with cellular.
Agreed. I'm not always prompted for a PIN, although I can't pinpoint the pattern. Maybe my iPhone is the other factor? I thought [I read that] the Watch did biometric authentication by recognizing the wearer's heartbeat pattern, etc?
Now, take a moment and imagine two brilliant engineers on opposite sides of the globe coming up with the same idea without knowing about each other's work. Yes, it's possible. And both are valid, genuine, original ideas in their own right.
I too use a PIN in excess of 4 digits. I wish the iPhone wouldn't show how many digits are required, similar to the watch and iPad.
Wow I completely forgot about unlocking the phone (TID in my case) also unlocking the Watch. Generally when I put on my Watch the phone isn't immediately handy and it's just quicker to automatically enter my PIN than get the phone and unlock it. It might be a few hours before I get around to that and my heath data isn't recorded during that time AFAICT. I've missed some Stand counts because of that.