Apple Pay Cash and the matter of trust

 

Over more than a decade now we have seen the launch of mobile wallets and prepaid cards, the high hopes for them and an often lukewarm response from the customer, followed by a phased withdrawal. I have myself been involved in a number of launches, in roles at many different parts of the payments, banking and money transfer ecosystem. There have been clear benefits we could demonstrate for our customers, but inescapably, with each extra “pot of money” a customer creates, there is more to manage. So the benefit must be compelling.

The big question in my mind when Apple announced the launch of Apple Pay Cash in the US on December 5 was naturally, how will this product fare? Will the path we see look much like that of the Google payment card, which launched with great fanfare and soaring expectations, but just fizzled out? Apple has proven they can launch products that are accepted and can change customer behaviour, getting them to do things they never used a phone for before. So will the Apple track record be enough to carry through this new product to success and help Apple Pay Cash to succeed where others failed?

The new Apple Pay Cash card image, copyright Apple Inc.

With the growing threats from cyber security, from a myriad of digital players on a range from pesky to all out criminal, customers are increasingly on the look out for ways to transact securely while on the go. Could a prepaid card from Apple that can hold some money that you use to pay be of interest, by addressing the customers critical and growing need of trust? Apple Pay has been relatively successful in mobile payment, but research from PYMNTS.com “Apple Pay Stats” seems to indicate a plateau in uptake over the last few years.

The offer seems not too new, and by now customers should be familiar with what to do and how to do it, having used their mobile phones with PayPal, Square, Venmo and other payments and money transfer applications. The Apple Pay Cash debit card works “like a bank account”, allowing you to send and receive money on the go.

Apple has attempted to make it easy for customers to get started, but as they cross certain thresholds they are asked for more identity verification. For instance if you want to receive $500 or more your identity would be checked, but it may be checked even otherwise, based on the way Apple sets up its rules. You may choose to verify your identity upfront, for instance if you want to use it at your favourite retail store. The identity check is managed through Green Dot Bank, the Apple Pay Cash card service provider. You must provide name, address, last four digits of your Social Security number and date of birth, as of now.

If trust is to be the draw, launch timing seems really unfortunate.  We just found out that since 2016 Apple has been slowing down processes on older iPhones.  Whether this was meant to nudge customers towards buying a new phone before they planned to or was an error of judgement that lead the team to choose this as a “fix” for older batteries, trust in Apple has taken a beating. Apple has apologised,  but a clear statement on what customers may expect going forward may still be critical, to re-establish the kind of trust customers need to deepen a financial services relationship.

So the new Apple Pay Cash launches in a climate where trust in the Apple brand is not at an all-time high, while trust towards America and American brands has also taken a beating. The repeated high level data breaches in 2017 and use of our personal data as the price we pay for “free” services has left customers somewhat jaded.

Customers need brands they can trust and brands need customers, for which they must meet customer needs. As we enter 2018, for me success of every product and service will hinge on deepening trust. Trust is something customers often took for granted in the past. Now each breach is likely to cause a reaction that could take brands by surprise.

Apple Pay comes to the most contactless ready country – UK!

 

Today Apple Pay launched in the UK - signalling the start of a new era.

 

Since Apple Pay launched in USA last October, a UK launch has been expected, to mark the start of a new level of use of mobile phones for contactless payment. UK is the country that is arguably the most contactless-ready in the world, with the largest number of contactless cards according to recent Visa reports. As people in the UK start to pay for goods and services around London using their iPhones and Apple Watches this could forever change the way we pay, first in the UK and shortly across other parts of Europe.

 

image

From today over 250,000 shops will accept Apple Pay across UK.

These include:

  • High Street Favourites: The Post Office, Starbucks, Costa, Subway, KFC, McDonalds, Pret
  • Retail Stores: Waitrose, Lidl, Spar, JD Sports, Dune
  • Department Stores: Marks & Spencer
  • Restaurants: Wagamama, Nando's
  • and most important of all, Transport for London (TfL)

 

As you will recall, London buses went cashless last year this time, but people were still largely using Oyster cards, with contactless payment cards still a novelty. I touched on this in my blog of December last year, “How payments changed in UK in 2014, and the perfect storm brewing for 2015”. Although mobile payments was supported by Vodafone, EE and others, consumers failed to adopt in large numbers. Now though, there is for the first time a real challenger to contactless cards.

 

People can now authorise payment simply by using their fingerprints, with the NFC chip on their phone communicating with TfL readers on the London underground, buses and rail networks.

The first three banks to launch today are Santander, NatWest and Royal Bank of Scotland. Barclays, having held out the longest, is also likely to shortly support Apple Pay, but HSBC and First Direct will be first with their launch later this month.

As the limit for contactless transactions increases from £20 to £30 in a few months, people can start to buy groceries through this fast new checkout method. Unfortunately I buy all my groceries online, so will have to make a special trip to the stores to check this out. Watch this space!

There are many ways to measure contactless readiness – number of terminals, number of cards, usage of contactless payments and more. Different countries top on different criteria. This month Visa Europe reported that UK leads Europe in contactless cards issued at 49.6 m cards, and 410,000 terminals, and considering that these are just figures from Visa, these figures appear to make UK the leading country, at least on some measures of contactless readiness (Your views are most welcome!). This launch is therefore a critical one for Apple, and will be instrumental in driving strategies of key providers world-wide.

 

With Apple Pay here now, can Android Pay be far behind?

How Android Pay changes Mobile Payments–and why you should care

 

Now that details regarding Android Pay have emerged, I thought it would be interesting to contemplate on how key mobile payments “ecosystem builders” as I term them, stand with respect to the on-going mobile payments game. Here is the State of Play in the Mobile Payments Game, post Android Pay

 

The latest move is Google’s announcement of Android Pay at the Google I/O conference today. This allows customers to pay at retail stores by simply unlocking their phone, without the need to open an app, in a “Tap and go” experience. Loyalty programs and offers can be applied at checkout. Also the contactless terminal receives not just the payment details but also loyalty points and offers.

Assuming things go to plan as per announcements, here are my thoughts on where players are positioned.

AndroidPay

 

The Prize

Over 2014 to 2016, the mobile commerce market is set to grow by a factor of five. This is 10 times faster than the E-commerce market. But by 2016, with less than 500 million mobile payments users, and a market worth $600 billion there is ample scope for further growth. PayPal recently announced that while online and mobile shopping accounts for $2.5 trillion in annual retail sales, with the convergence of the online and physical world, a unified world of commerce could be worth $25 trillion, resonating arguments I made in my book “The Digital Money Game”.

 

Key Players

The current scene of the battle is playing out in the US with heavy-weights placing large bets on paying by mobile phone.  Big players currently making investments include Apple, Google, PayPal, Samsung, Facebook, Visa, MasterCard, MCX and others. Also there are several mobile payments providers who have obtained some traction in the market and may now be up for grabs.

Some have folded their hands – Softcard (formerly ISIS) was recently acquired by Google, as an important precursor to their current play, as now handsets from AT&T, Verizon and T-Mobile can come pre-loaded with Android Pay.

 

Key Enablers

Once an area dominated by mobile operator SIM-SE standards, the dam has burst and we have a number of possible technologies emerging. Samsung’s embedded approach recently announced is similar to eSE introduced by Apple for ApplePay and both work with tokenization services of card schemes. HCE and tokenisation hybrid models first introduced by Google for Android Kitkat (4.4) have since resulted in the launch of a number of pilots around the world. Meanwhile QR Codes have seen good traction, being behind some of the best adopted services, such as the Starbucks Wallet.

Now Android Pay says their service is secure as they won’t send your actual credit or debit card number with each payment. Instead a virtual account number represents the account information. Android Device Manager is to allow consumers to instantly lock their device from anywhere, secure it with a new password or even wipe it clean of personal information. 

 

Country Positioning

Apple Pay is still largely US only, although reports have emerged from Singapore of people successfully using their Apple Watch to make payments there. Android Pay has a huge potential in terms of reach but for now nothing much seems to be clear in terms of when it will launch outside of the US. While Apple benefits from premium user status, in terms of sheer numbers , once the gameplay extends out of the US, Android is better placed in terms of penetration.

US is pulling ahead, but China, India will not be far behind as they develop apps to meet the requirements of the US and then seek to bring out cheaper and more appropriate services for Asian and emerging markets. Europe though risks being left behind in all this, pity, with it (arguably) being the birth-place of e-money.

 

Customer Adoption

Recent reports claim $2 out of every $3 spent using contactless payments across Visa, Mastercard, and American Express were being made with Apple Pay.  

PayPal now with Paydiant seeks to challenge this thanks to Paydiant’s earlier work with MCX.  This month PayPal reports it processes nearly 12.5 million payments for customers every single day.

Now Android Pay promises to offer better ease of use than Google Wallet, benefiting from support for fingerprint authentication in Android M. Also with pre-loaded handsets the only challenge that remains is having led the horse to the water, to actually get it to drink: as several steps will still be needed before customers actually make their first mobile payments transaction.

Samsung Pay though claims potential acceptance at 30 million merchant locations worldwide, with near universal acceptance thanks to Magnetic Secure Transmission (MST) magstripe emulation platform, LoopPay.

 

Reactions from the rest of the ecosystem

Merchants are signing up to many of the new services, whilst also engaged in MCX and so far tending to favour the QR Code approach.

Schemes are not taking sides. Visa, MasterCard, American Express and Discover have announced support to Android Pay, as also with other services. In general schemes are keen to support all options, something that brings joy to their investors.

Mobile operators are on a back foot, but regrouping – more co-operation, greater focus on transport (such as Mi-FARE) where they still hold an advantage, and a continued emphasis on security – though biometrics, tokenisation and the passage of time will leave this argument somewhat weakened.

For now banks can play with the different providers, but where will they invest and how long will it take them? The banks in the US are moving quickly – USAA and US Bank have already declared their support for Android Pay. Citibank had been quick to provide the support needed by Google Wallet.

Regarding processors, for Android Pay Google is partnering with Braintree, CyberSource, First Data, Stripe and Vantiv to make integration easier. There is a huge opportunity from tokenisation which is up for grabs and processors need to also back every horse, while continuing to build the required infrastructure.

 

Outlook for Mobile Payments

This further confirms the growing fragmentation, with potentially myriad implementations as service providers seek to navigate a murky minefield of patents relating to mobile payments, and still bring out something that helps maintain some control over large, desirable customer segments.

What is quite clear though is that massive disruption to existing business models is now well and truly on the cards. Current retail, banking and payment systems must consider their roadmaps as payments becomes invisible, embedded, transparent and often free. The future of payments is in the cloud, but could this result in massive “honey pots”?

When will Android Pay, Apple Pay, Samsung Pay and PayPal’s newest services launch across Europe, UK, Canada, Australia, Poland Germany, Singapore and other countries ripe for these services? And where does Android Pay leave Google Wallet? A lot of important, yet unanswered questions that will become clearer in the next few months perhaps.

 

Charmaine Oak

Author of The Digital Money Game, co-author Virtual Currencies – From Secrecy to Safety

PayExpoSpeakerLogoI'm speaking on “Role of mobile in omni-channel payments 

June 10 at 13:30 at PayExpo 2015 Mobile Money Europe, London.

Come say Hello!

Apple isn’t interested in payments

 

Shift Thought recently completed a set of interviews where we spoke to experts from a range of industries and parts of the world to get their gut reactions on the state of the payments industry and what to expect next.

In this post I share highlights of my discussion with Roy Vella, Digital Services Evangelist and Entrepreneur with a rich experience across a wide range of organizations in EMEA and the U.S. Roy reflects on what for him were some highlights of 2014 and shares his thoughts on what to expect this year.

 

Roy, thanks for your time today. I would like to start by asking what, for you has been the most innovative service you’ve seen over the last year, at the intersection of mobile/ online and financial services?

 

applepayFor me, Apple Pay has been the most significant. Once again, they did what they do so well. They take something messy and refine it. Just as they did with iPods/iTunes and the iPhone, they’ve created a great customer experience by making a few key changes. Apple tends to be able to take things off the shelf but then simplify and get the experience right.

When they launched the first iPhone, arguably they did it with what could already be bought off the rack in China. It’s not what they deliver but rather how they put it all together, to make it simple, intuitive and delightful. That is the innovation! It is not making something radically new but it’s making something truly simple.

 

But in order to make it simple, they’ve managed to bring together a lot of different technologies for the first time, to allow a simple “press the button” experience.

 

True, they had to bring together Passbook, Touch ID, NFC capabilities, encryption, tokenisation and more. Apple is probably going to kill the business proposition of a lot of providers accidentally, even though they don’t actually care about payments. All they care about is bringing together those three things that you, I and everyone need before we leave home: your keys, your wallet and your phone.

Apple simply wants to put it all together. They want to get rid of your wallet. And they’re making progress on this with Apply Pay, the Apple Watch, with their work on access to hotel rooms and security. I’m sure they’re talking to major hotel groups, luxury car manufacturers and others, to make big changes in how people gain access to all sorts of places and things.

 

What are the pain points that providers encounter when they try to bring out Payments Innovations?

 

What they find difficult is what Apple does so well. It’s essentially the battle of getting people to adopt something new. That is what Apple is good at – changing consumer behaviour, getting people to change the normal way that they do things.

For any infrastructure play the most difficult thing is that most people don’t want change. And innovation is hard because key stakeholders, regulators and others also often don’t like change.

Actually people often talk about achieving “mainstream adoption” but that’s not what concerns Apple. They want those premium customers. That is their segment. The top 15-20% max really.

 

But if Apple is solving for the 15-20% premium customers, who is solving for the rest?

 

Before Apple Pay we had similar solutions on the Android, 9 months to a year earlier! Google, Samsung, PayPal and others offered quite similar services as Apple Pay. But did anyone take notice? We did not see them move the needle – then Apple announces and boom, consumers sit up and we have change.

 

Who for you are the winners of 2014? Which categories of players impressed the most?

 

I don’t think mobile operators as an industry were able to do that much. Sure, we’ve heard of various partnerships between banks and operators or other categories. However it was not ground breaking innovations. I believe that both banks and mobile operators have taken a back seat to the big tech services, GAFA, at this point. And they’re all innovating rapidly.

The other group that’s made significant progress over 2014 is the regulators. They’re no longer spending all their time protecting the incumbents. They want more competition, entrepreneurs and a better deal for consumers. This is playing out across the US and Europe, and also worldwide.

 

Talking about regulations, what’s your opinion of Bitcoin?

 

I feel that Bitcoin tends to be misunderstood. It is a currency of sorts but more importantly a protocol, the blockchain, but often people are fixated on the first and don’t quite get the second. Reliably moving value between parties, without a middleman, is a brilliant innovation. It is not all about money. It could be any object of value or ownership – it could be a birth certificate or a lease, for example.

No matter what anyone may think, cryptocurrencies are here to stay. It’s impossible to stop them. Saying that you don’t like bitcoin or the blockchain and it should be stopped is like saying your don’t like SMTP or HTTP… it’s merely a technical protocol for value transfer that now exists and won’t simply evaporate as such, even if regulators attempt to quash it.

 

Yes, banks have not made it easier, with their massive FX scandals and other issues. Do you see this pushing people further toward P2P and innovative new entrants?

 

Absolutely! Take the example of Transferwise. I think they’ve done a brilliant job shining a light on fees and making things more transparent. Ultimately consumers care about how much they pay and what their receivers get in terms of currency. Transferwise states that in terms of what you put in and how much you get out it’s hard to get a comparable rate. Significantly, Transferwise has gotten their marketing and message right… it resonates with people.

 

Roy, from your experience at PayPal, it would be good to hear what you think about the PayPal/eBay separation – how’s that going to work out?

 

We were talking about this way back in 2004. It is something that had to happen, but back then they needed each other tremendously. However staying together is holding them both back now. I know they will be better apart. It’s going to be good for PayPal, sure, but it’s also going to benefit eBay. I think individually they could each have the same valuation as they have together.

 

You talk about the digital wave and how that is subsuming things - What really changed over 2014 thanks to mobile?

 

I think 2014 has been all about smartphones achieving deep, mass penetration. This is not just in developed countries but also in the high-growth emerging ones.

 

What do you foresee for 2015? What’s most exciting?

 

I think the chip is going into everything. Having all these devices become smart, there is an early adopter phase that is quite exciting. It is not all about payments. Payments must be transparent, just an enabler and it must make everything simpler for consumers and merchants.

 

Thanks Roy, it’s been a pleasure speaking with you. Wish you the best for 2015 and beyond!

 

clip_image002

Roy Vella is Managing Director of Vella Ventures Ltd where he offers strategic advice as an expert in the Fintech industry.

Roy is special Advisor to MEF and on the board of several companies. Notable clients include Visa, Vodafone and Lloyds.

Previously Roy was Group Executive, Director of Mobile Financial Services for the Royal Bank of Scotland Group. Roy also has rich experience from his work at PayPal Europe as Director, Mobile Payments for Europe and in Business Development for PayPal Inc. See more at linkedin.com/in/royvella.

Passwordless Experience – The FIDO Standards behind this

As security breaches continued to grab headlines over 2014, I was intrigued by new claims that not only could online security be improved for consumers, but it could actually become a more delightful user experience. The launch of Apple Pay has proven to us that this is possible.

With over 150 FIDO members, the Board of Directors alone reads like a Who’s Who List: Alibaba/Alipay, ARM, Bank of America, CrucialTec, Discover Financial Services, Google, Identity X, Lenovo, MasterCard, Microsoft, Nok Nok Labs, NXP semiconductors, Oberthur Technologies, PayPal, Qualcomm, RSA Security, Samsung, Synaptics, Visa, and Yubico.

Keen to understand what attracted so many key players, I was delighted to have an opportunity to interview Executive Director of the FIDO Alliance, Brett McDowell, to understand more about how all this works and what changes we are likely to see in the world of payments because of this.

 

Brett, I’ve heard so much about FIDO as the standard behind high profile launches of 2014, and am keen to understand more. Could you share a bit about yourself and your mission at FIDO?

 

clip_image002

I am currently the Executive Director of the FIDO (Fast IDentity Online) Alliance which I helped to found in July 2012, when I was the Head of Ecosystem Security at PayPal, to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. At the FIDO Alliance, we are changing the nature of online authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online and mobile services.

Previously I spent several years at PayPal where, as Head of Ecosystem Security, I was tasked with developing strategies and leading initiatives to make the Internet a safer environment for PayPal and its customers. I spearheaded authentication strategy, including working with global policy makers to evolve best practices in strong authentication regulation. Prior to joining PayPal I spent several years as Executive Director of industry standards organizations, including Liberty Alliance and Kantara Initiative, which produced standards and accreditation programs in the field of digital identity.

At the FIDO Alliance, our mission is tightly scoped to producing open standards and industry adoption programs that enable implementers to change the nature of online authentication by improving user experience while simultaneously providing better security in a very privacy-respecting manner. We just released the final FIDO 1.0 specifications at the end of 2014.

 

Why did you feel standards were needed relating to strong authentication, and how does this differ from traditional authentication?

 

clip_image004So, “traditional” is an interesting word in the context of strong authentication, as the concept has not gotten a tremendous amount of adoption, especially not from consumers. Before FIDO authentication, if you were an online service provider, in order to authenticate your users, you would typically use username and password. If you wanted more security you had to add another authentication factor from a set of options that were not necessarily designed for ease-of-use. The “historic” approach to multi-factor authentication, or “strong authentication” as it is often called, combines “something you know” (like a password or other form of “shared secret”) with another factor, such as “something you are” (a biometric for instance) or “something you have” (such as a token or physical device). The industry norm in 2011-2012, before FIDO authentication was announced, was username and password as the ubiquitous first-factor, and the second factor, if there was one, was typically a 6-digit one-time-use passcode. You’d get the second factor through an SMS to your mobile device or create it on a specialised hardware device or copy it from a code-generating mobile app on your smartphone. This 6 digit number- the one-time password (OTP) - is called a security token.

The first problem with OTP -- and one of the many issues that FIDO authentication inherently addresses -- is usability. The first word in FIDO is fast, and it helps to explain why FIDO technologies became so disruptive so quickly. We are not about bolting on extra security that puts the burden on the user. We are about delivering an end-to-end innovative approach to authentication through a new, open, online cryptographic protocol that enables best-of-breed device-centric authentication to be used for online access.

 

How does the FIDO UAF Architecture enable online services and websites to leverage native security features of devices and what problem does this address?

 

From the payments perspective our standards enable a better user experience – faster, more secure, privacy respecting and easier-to-use. An example is, Samsung has enabled a number of payments applications using FIDO to allow a user to simply swipe a finger across a sensor on their smartphone or tablet. This is arguably easier than everything else in the market, certainly easier than passwords.

Although the concept of strong authentication has been around for a while and pretty well adopted by pockets of the enterprise market, it has not achieved widespread adoption beyond the enterprise because it has lacked the means to achieve interoperability among systems and devices; FIDO authentication standards enable any strong authentication method, what we call “authenticators”, to interoperate with any online service, independent of solution vendor or device.

Without interoperable strong authentication, you are left with the classic “token necklace” problem; wearing specialized security tokens, often around your neck with your security badge at work, for each online service that requires strong authentication because you cannot use any one of them to authentication into the other online applications. This is because “traditional” strong authentication relied on proprietary centralized servers (closed systems) connecting authenticators in the hands of users to proprietary server side functionality. Limited in both reach and function, strong authentication solutions have been neither open nor interoperable, until FIDO UAF and U2F 1.0 standards , which have opened the door for ubiquitous strong authentication through “net effects” that only emerge from an open ecosystem.

 

Is this interoperability issue something you address through UAF and U2F?

 

Yes, both UAF and U2F protocols, applied to devices, client software and online servers, produce entirely interoperable strong authentication. What the FIDO Alliance founders introduced first was the Universal Authentication Framework (UAF) protocol. This solves pain points around first-factor authentication because it is designed to replace the password, usually (but not exclusively) with a biometric factor that is retained only locally on the user device, never shared centrally or in the cloud. FIDO UAF is a strong authentication framework that enables online services and websites, whether on the open Internet or within enterprises, to transparently leverage native security features of end-user computing devices. In a FIDO ecosystem online service providers can easily achieve strong user authentication, and free users from creating and remembering more online credentials, simply by leveraging existing FIDO devices to authenticate at their sites and to use their services, such as mobile payments where UAF has seen early industry adoption.

If you are going to offer a replacement for passwords, you need a robust mechanism that isn’t based on the same “what you know” shared secret security design that has been the bane of password systems of late. We decided upon asymmetric public key cryptography, which uses a private key paired with a public key for each authenticator registration. However, we knew that putting the private key in the server could create vulnerability and undesired externalities in the case of a breach. We wanted to get to a model that would have no secrets on the server side. With FIDO authentication, the server holds a public key, but the private key is held only by the individual’s personal device, such as a mobile phone, and is never shared outside of that device. We saw the opportunity to make 1st factor authentication both easy & more secure by relying upon existing device-specific user verification methods being embedded in smartphones, tablets and PC’s. FIDO UAF then enables those local device authentication methods to be used securely online.

We found that before FIDO authentication, existing strong authentication options had very low user acceptance rates, sometimes less than 3% of users choosing to register for strong authentication when it was available as an option. The user acceptance of natural authentication methods that don’t tax the user’s memory or require extra steps in the process have been far more successful as seen by the increased number of people opting to lock their phone with gesture locks, 4 digit pin codes, and now biometric sensors like fingerprint sensors. However, under FIDO UAF, fingerprints are just one of many biometric options supported by the protocol- iris scanning, voice recognition, and behavioural sensors from wearable devices, are all supported in FIDO UAF.

We wanted a standard that could support any future authentication method, and support the industry in its drive to continuously innovate. Proprietary innovation happens between the device and user; this is where the industry can compete with differentiating solutions. FIDO standards come into play in the implementation between the device and the online service.

Another question is how online Payment Service Providers (PSPs) would know that the technique between device and user is trustworthy? FIDO standards incorporate the ability for online services like PSPs to set their own security policy defining the devices or device characteristics they want to trust. The members of the FIDO Alliance wanted a solution set that enabled trust between all devices and all services, but didn’t mandate it. They want a solution to be flexible enough to leave the trust decision in the hands of the online service provider who is in the position of making the risk decision related to any authenticated transaction.

 

We have discussed UAF in some detail. What then is U2F and where does it fit in the FIDO ecosystem?

 

FIDO U2F authentication addresses a totally different use case. FIDO UAF provides a simpler, stronger 1st factor authenticator where U2F provides a simpler, stronger 2nd factor authenticator. FIDO U2F does not replace the password but instead replaces the second factor and enables a simpler form of password, like a short PIN number, because the security burden can now be placed on the FIDO U2F authenticator and not the password. FIDO U2F has already been deployed by Google Accounts and now ships in all Google Chrome browsers.

So far the implementations of FIDO U2F authenticators are in the form of external specialized devices, but these capabilities could be embedded directly in handsets or other form factors in the future. What separates FIDO U2F security tokens from the OTP tokens discussed previously is that one device will work with any FIDO U2F server, regardless of vendor solution or device manufacturer. Another key differentiator is the phishing resistance inherent in the FIDO U2F standard. A FIDO U2F user cannot be tricked into giving a secret to a fraudster the way they can in a OTP use case.

Yubico and Plug-up are the two primary providers of U2F-enabled devices today, which work by being inserted into a USB slot. NFC and BLE support for U2F tokens is coming soon and will accommodate U2F devices for use with devices that don’t have USB slots.

To learn more about all the UAF and U2F FIDO Ready™ implementations please visit our website where they are all listed along with the profiles they support.

 

This is very interesting and thanks for helping to make our online experiences easier as well as more secure. Do you have any final message for us?

 

One thing I’d like to emphasize is the relationship between authentication and payments. Payments is just another application that requires strong user authentication. FIDO standards can be used for a whole variety of use cases that require strong online authentication… for healthcare applications, airline bookings, gaming, banking, enterprise use cases and anything that requires a user to authenticate online. The reason we saw the first adoption in mobile payments is because that industry segment had the greatest amount of pent-up demand for faster, easier strong authentication from mobile devices where typing passwords was the least convenient option.

The second topic I would like to emphasize is the relationship between FIDO standards and government regulation around strong authentication. Sticking with the payments example, you recently asked me about how FIDO UAF could be used to meet the criteria developed by regulatory regimes such as the EBA Guidelines. Though an analysis of exactly how a FIDO UAF implementation could meet the requirements of this specific regulation is beyond the scope of this interview, most multi-factor regulatory regimes are looking for two or more of a “what you know”, “what you are”, or “what you have” authentication factors. In just the example we see in the market already on Samsung Galaxy® devices, it may appear there is only a single “what you are” factor being offered by the fingerprint sensor, but there is also a “what you have” factor due to the secure protection of the private keys on the device, resulting in a multi-factor authentication event from a single user gesture. The Privacy and Public Policy Working Group in FIDO Alliance is going to make a concerted effort to educate regulators across various industries and geographical regions in 2015 to help them understand how to apply FIDO authentication to the markets they oversee.

 

Thanks Brett and I wish you the very best for all the further innovation that you plan in this very important space!


image

Brett McDowell currently serves as Executive Director of the Fast IDentity Online (FIDO) Alliance, the organization Brett helped establish in 2012 to remove the world's dependency on passwords through open standards for strong authentication. Brett is also an advisor to Agari and the Bitcoin Foundation.

Previously, Brett spent several years at PayPal where, as Head of Ecosystem Security, he was tasked with developing strategies and leading initiatives to make the Internet a safer environment for PayPal and their customers.

 


Charmaine Oak

Author of The Digital Money Game, co-author Virtual Currencies – From Secrecy to Safety

DMGCovervcbookcover

http://www.linkedin.com/in/charmaineoak

Join me on Twitter @ShiftThoughtDM and The Digital Money Group on LinkedIn

Disruptions in the smartphone market take a toll on Samsung results

 

Samsung announced their Q3 2014 earnings shows a substantial Q-on-Q decrease due to decline in their mobile business caused by intense competition in the smartphone market. Further to my post on How Apple play affects the Digital Money Game, as China Mobile starts to eliminate $2 billion smartphone subsidies, the cost of high-end devices is impacted and affects both Samsung and Apple, benefiting low-cost manufacturers like Xiaomi.

 

Headquartered in South Korea, The Samsung Group operates through over 150 subsidiaries, including 73 domestic affiliates as of June 2014, having been first established through Samsung Electronics Industry Co. Ltd back in January 1969. The company manages 3 divisions: CE (Consumer Electronics), IM (Information Technology & Mobile Communications) and DS (Device Solutions.

 

Anticipating consumer desire to interact with the Internet, Samsung focused early on smart TV sales, leading the market in 2011 with the launch of smart TVs and hub-based apps.

 

In 2014 the mobile phone market is expected to reach 1.8 billion units, with 1.2 billion of them being smartphones – this represents a growth of 7% since 2013. However Fitch Rating expects Samsung shipments during the period to remain flat.

 

Samsung has maintained a No. 1 position in the smartphone global market, with strong take up of the Galaxy S series and the Galaxy Note. However with Apple’s release of iPhone 6 (4.7”) and iPhone 6 Plus (5.5”) compared to the previous 4” models, these phones now represent a substantial threat. Low cost Xiaomi (low-cost devices) was already resulting in tough competition, especially across the Asia Pacific region. The figure below shows the impact on first half performance in 2014.

 

image

 

Samsung’s share in the global smartphone market dropped from 31% in 2013 to 25% in H1 2014. They announced mid to low-end shipments were down due to weak demand in the EU and lower 3G demand coupled with intensified price competition in China.

 

Samsung expect that in the second half of 2014, strong seasonality will help to boost smartphone and tablet demand. At the high-end, they expect growth to be led by TD-LTE expansion in China and lower inventory level in Europe. At the mid to low end they expect growth led by emerging markets, and this is where we are likely to see the competition heating up with new product launches expected.

 

Meanwhile Samsung Electronics plans to build a $14.7 billion semiconductor plant south of Seoul, in an attempt to make up for touch competitive pressure on its smartphones with new growth in its most profitable semiconductor division.

How Apple play affects The Digital Money Game

Now that Apple Pay is here, how does it affect the projects in your pipeline? Which should you drop, where should you invest more and who should you look to partner next? We are at the cusp of the creation of a new ecosystem. But will Apple Pay fare better than Google Wallet did when it first launched in May 2011? There is a feeling of Déjà vu and Let’s Wait and See. For Apple as well, Apple Watch was No. 1 – payments was No. 2.

So is this going to ignite NFC payments? How will things change? The short answer is I don’t think anyone knows yet. We’ll what are the mobile operators thinking now – we all know Verizon was not a cheer leader for the Google Wallet. What is PayPal thinking? What if Walmart does not come around?

Why is this important?

applepay

The major factor for any new payment service is adoption. So far adoption of NFC has been a 10-year war between the banks and the mobile operators and has struggled to gain traction.

Then in 2011 we had the entry of the Google wallet, and each of the card schemes with their own wallets. Still consumers and merchants failed to adopt. While contactless cards have gradually crept into use, paying by phone continues to prove elusive, for a variety of reasons, with one of the main ones claimed to be lack of handsets, customer security concerns and business model.

Apple has 800 million customers as “card on file”. Additionally the API will be available to developers. Merchant support has already been announced: Integration with Uber, a food app from Panera, Major League Baseball's app to order tickets from your phone, and Open Table to pay your bill from your iPhone 6 or iPhone 6 Plus. Apple API to be offered in iOS 8 to allow app developers to integrate Apple Pay into their applications.

Apple has a following, so is not dependant on mobile operators to push their phones, however operator subsidies that could be as high as $500 help make them affordable. The rapid adoption of smartphones across the world has changed the balance of power. Certainly in the US, Apple is Top Dog as a smartphone manufacturer, with 42.1% OEM market share as of June 2014 according to comScore reports.

However while in the US and Europe Samsung and Apple dominate, the share of both providers has been dropping in emerging markets where we see a fragmentation emerging. In urban China, Xiaomi with its affordable RedMi model continues to go from strength to strength, securing a 27% share of smartphone sales in the second quarter of 2014, compared with 21.1% for Samsung. And payments by watch + iPhone cannot be a top priority for the masses in emerging markets.

Too little too late?

So far Apple was a late starter where contactless payments are concerned. Like a swan, the movement seemed to be more “under-water”, as news of patents obtained for motion based payments got out in January 2013. Apple obtained a US Patent for a digital wallet and virtual currency. It described a system of managing credits via mobile device. Mobile users would be able to receive credits or coupons stored in their account. Check out Patently Apple for the whole background.

Back in June 2013 Apple released its first mobile commerce platform, called the iCloud Keychain: consumers could an store a variety of information, such as passwords and financial details for use across several Apple devices (Mac, iPhone or iPad) to log into websites or make purchases online. The platform did not support NFC and existed as an application rather than a physical device.

Earlier in June 2012, the Apple bar-code-based Passbook mobile wallet was launched, as a basic mobile wallet without payment functions, using barcodes to store and represent multiple boarding passes, store cards, and movie tickets. It had location-enabled alerts, and real-time updates and it displayed passes based on a specific time or location. When consumers walk into a participating shop the loyalty card appears and can be scanned to pay or check balance. It was expected that this could evolve into a mobile payment service by linking the Passbook to customer credit cards and iTunes accounts.

Effect on the Digital Money Game

Contactless payments that Apple Pay now propose to offer comes as a reinforcement

How Apple Play affects The Digital Money Game

 

Apple has made their play: iPhone 6, iPhone6 Plus, Apple Pay and a wearable Apple Watch. Now that Apple Pay is here, how does this potentially affect retail transactions, e-commerce in general, and the projects in your pipeline.

 

We are at the cusp of the creation of a new ecosystem. But will Apple Pay fare better than Google Wallet did when it first launched in May 2011? There is a feeling of Déjà vu and Let’s Wait and See but also a sense of optimism and expectation of improved retail experience. In the near term iPhone 6 and iPhone6 Plus will be the real winners for Apple revenue, but in the long term Apple Pay will play an increasingly important role in generating revenue from previously untapped sources. As far as the role of Apple Watch itself is concerned, it’s revenue impact in the near term is uncertain but could become more significant as developers bring out apps and its role evolves.

Let us take a look at Apple Pay, as a prerequisite for starting to answer the myriad questions - Is this going to ignite mobile payments? Will it make digital payments more secure? How do the opportunities now stack up? How are the mobile operators likely to react? We all know Verizon, AT&T and T-Mobile were not cheer leaders for the Google Wallet. Softcard (rebranded from ISIS) is readying its own offer. What is PayPal thinking and how does this fit with the Braintree One-Tap announcements? How will Walmart react, and where does this fit with respect to MCX?

 

So why is this important?

The major factor for any new payment service is adoption. Offline retail payments have been sought to be addressed through a variety of methods from PayPal, Google and others, and so far by Apple using iBeacon functionality, BLE and other technologies. So far adoption of NFC has been a 10-year war between the banks and the mobile operators and has struggled to gain traction. It was important for the industry to know Apple’s position with respect to NFC as a standard for mobile payments.

We would all agree that in the current retail and e-commerce arenas one of the most pressing needs is security. The Apple announcement certainly seems to go a long way in addressing this need. For example the combination of its biometric sensors in its devices with the contactless transmission of one-time card number combined with the fact that Apple creates a device-only account number that they store in the secure element, provides a basic foundation for enhanced security. Furthermore as far as customer perspective is concerned, the fact that one can find the phone more easily and take action if it is lost goes a long way towards addressing concerns.

 

image

Back in 2011 we had the entry of the Google wallet, and each of the card schemes announced their own wallets as well. Still consumers and merchants failed to adopt. While contactless cards gradually crept into use, paying at retail POS by phone continued to prove elusive, for a variety of reasons. For the longest time, one of the main reasons was claimed to be lack of handsets. However, customer security concerns and more importantly business model were arguably even greater challenges.

And what about adoption?

One of the major challenges in creating a successful service is the ability to bring a large customer base on board rapidly. At the retail level this translates to satisfying consumers both on convenience and trust. In this respect Apple has 800 million customers from their iTune stores as ‘card on file’. However there is a separate step involved to get consumers to start to use Apple Pay for contactless payments as it launches shortly in the US.

This is where the convenience and trust come into play and is something for which we’ll need to wait and watch.

Additionally the Apple API will be available to developers and this is an exciting space to watch. We saw how millions of apps became available for the iPad and iPhone – now Apple Watch is here, and although tethered to the iPhones for the present, it presents a new frontier of innovation. For the present the watch offers an opportunity to integrate a variety of health and fitness related services – something I think we will hear a lot more about shortly.

Merchant support has already been announced: McDonalds, Integration with Uber, a food app from Panera, Major League Baseball's app to order tickets from your phone, and Open Table to pay your bill from your iPhone 6 or iPhone 6 Plus. Apple API is to be offered in iOS 8 to allow app developers to integrate Apple Pay into their applications.

 

So how will mobile operators react?

Apple has a following, and is not overly dependent on mobile operators to push their phones, however operator subsidies that could be as high as $500 considerably help make them affordable. The rapid adoption of smartphones across the world has changed the balance of power. Certainly in the US, Apple is Top Dog as a smartphone manufacturer, with 42.1% OEM market share as of June 2014 according to comScore reports.

Some news is in already as to how mobile operators view this. Softcard (formerly ISIS) have made a statement that they see Apple’s support to NFC as a significant step that sets the stage for rapid scale adoption of mobile commerce.

However while in the US and Europe Samsung and Apple dominate, the share of both providers has been dropping in emerging markets where we see an emerging fragmentation. In urban China, Xiaomi with its affordable RedMi model continues to go from strength to strength, securing a 27% share of smartphone sales in the important China market in the second quarter of 2014, compared with 21.1% for Samsung. And payments by watch + iPhone cannot be a top priority for the masses in emerging markets, although urban, higher income Chinese consumers do seem to be quite interested. 

 

What about the others?

As we describe in great detail in our book, payments has become a hotly contested space. Another fairly late entrant is Amazon.  Just take a look at the Amazon Fire Phone, the first smartphone designed by Amazon. Amazon has vowed to create a whole new shopping experience and until December 31, 2014 the fire phone comes with 800 Amazon Coins to spend on apps, games and more as well as 10% discounted purchase for more Coins. They also offer other benefits including a year of Prime Benefits (Video, Delivery, Books and more).

Such bundles of value are what the customer is increasingly coming to expect, and the whole Apple offer will need to evolve to meet the competition.

 

Too little, too late?

Without doubt, Apple is a late starter where contactless payments are concerned. Like a swan, the movement seemed to be more ‘under-water’, as news of patents obtained for motion based payments got out back in January 2013. For instance, Apple obtained a US Patent for a digital wallet and virtual currency. It described a system of managing credits via a mobile device. Mobile users would be able to receive credits or coupons stored in their accounts. Check out Patently Apple for the background on Apple patents for payments.

Yet, little happened until now.

  • Back in June 2013 Apple released its first mobile commerce platform, called the iCloud Keychain: consumers could store passwords and financial details for use across several Apple devices and they could log into websites or make purchases online. But the platform did not support NFC and existed as an application rather than a physical device.
  • Earlier in June 2012, the Apple bar-code-based Passbook mobile wallet was launched, as a basic mobile wallet without payment functions, using barcodes to store and represent multiple boarding passes, store cards, and movie tickets. It had location-enabled alerts, and real-time updates and it displayed passes based on a specific time or location. When consumers walk into a participating shop the loyalty card appears and can be scanned to pay or check balance. It was expected that this could evolve into a mobile payment service by linking the Passbook to customer credit cards and iTunes accounts.

Effect of Apple Play on the Digital Money Game

The contactless payments that Apple Pay now propose to offer come as a reinforcement to the Digital Money Game of some players, but a threat to others.

And it is no longer enough to offer just mobile payments. To gain adoption, Apple must be able to offer a range of ways to pay, across the web and other channels including TV, now being hotly talked about in emerging markets. And they must get the interoperability story right, and rapidly prove the concept beyond the US market.

 

Read all about this, and work out your own strategy with our recently published, highly acclaimed book, The Digital Money Game. Also, if you would like to discuss immediate ramifications on your projects just drop me a line at coak@shiftthought.com.

 

LIDMGCover