Apple built multi-factor authenticated payment in the right order
As an American living in Europe I have been perplexed at multi-factor authentication for payments. The Americans (laggards in my opinion) have been using magnetic stripe cards for decades and have only just begun deploying chip-and-pin. In the UK and many other European countries, chip-and-pin is standard.
In the UK we’re moving back towards single-factor payments: contactless payments that use only the card itself. Apple has solved the two factors problem, and part of their solution revolves around the order they rolled it out.
Apple has built a payment system by first rolling out the “second factor”—the biometric Touch ID—and then by rolling out the first factor: the payment application and API. They have spent a couple years acquainting themselves with the really hard bit: biometrics. Now they can do the easy bit: payments. Everyone else has gone about it in reverse order. The Americans rolled out an easy-to-use payment network. All attempts to add additional security look harder to use than the status quo.
Apple sold the public on the ease-of-use and reliability of the Touch ID, then they applied it to payments. It will be multi-factor, but not using the two traditional factors (something you have, something you know). Instead, it will be using something you have (the phone) and something you are (an authorised fingerprint). The remarkable part of this plan was getting the fingerprint biometric adopted by millions of users first. Once that hurdle was cleared, adapting it to payments was a straightforward exercise built around years of experience with biometrics.
Those who build payment networks first and are unfamiliar with technology like biometrics are reluctant to threaten their profitable businesses with the usability and reliability risks that come with unfamiliar technology like biometrics.
There are still hurdles to clear. NFC payments via phone are not used on the London Underground because they are not fast enough. Every few years Transport for London tests NFC, and each time it has been too slow. If single-factor NFC payments are not fast enough, it’s certain that two-factor NFC payments on the Apple platform will be even slower. Speed at the operating system level and real-time guarantees for user-level apps (not just system apps like telephony) will become increasingly important to allow mobile authentications to be accepted in situations where they currently cannot perform well enough.
The fundamental difference between Apple and Google in this scenario is often overlooked. Apple is a for-profit company looking to deliver value to customers who pay money for that value. As a for-profit business, Apple sits down across the table from other for-profit businesses (payment networks, banks, retailers) and offers them a business model. They are speaking the language of business. Money and services change hands. Google launches a bunch of technology into the marketplace and it leaves the creation of business models to someone else. They have no quid pro quo to offer big businesses like banks and retailers.
What Apple has, and what Google lacks, is customers. It’s pretty clear that more people use Google technology than Apple technology. But none of those people are Google customers. They don’t pay Google, subscribe to Google, or necessarily receive anything directly from Google. When Google sits down at the negotiating table, it has only a technology’s virtues. When Apple comes to the table, they bring millions of paying customers that it can promise will have a technology in their hands. It’s Apple’s role as a direct-to-consumer business that makes them able to drive changes to business models. Technology alone simply cannot deliver the same results, no matter how good the technology is.