The usual complaint about Samsung’s smartphones is that they shamelessly copy Apple, but can’t quite surpass the iPhone. This despite the fact that the Galaxy S line consistently has specs that do indeed surpass their American counterparts. Apple fans then counter that it is the iOS software ecosystem that is responsible for the iPhone’s superior user experience. But there is more to UX than apps and yesterday Samsung revealed a collaboration with PayPal that may give it a decisive edge over Apple in the critically important world of mobile payments.
When Samsung revealed the Galaxy S5 yesterday, Forbes contributor David Ewalt liveblogged the event, pausing at 2:43 EST to remark, “A built-in fingerprint scanner allows you to unlock the phone without passcodes. It’s all stored on the hardware, not in the cloud. Sounds pretty much like Apple’s scanner on the iPhone 5s.” This is all true, but only half right.
The inside story is that Samsung is the first smartphone maker to deploy a fingerprint sensor that uses the new FIDO Alliance authentication standard (FIDO stands for Fast IDentity Online). PayPal was one of the founders of this alliance, along with Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio. At its core, FIDO is the mobile equivalent of SSL/HTTPS for websites, and, not coincidentally, the inventor of SSL, Taher Elgamal (then at Netscape) has been instrumental in the development of these new standards. What Samsung will be releasing into the U.S. market in April has much in common with what Apple has created with Touch ID, but with some important differences.
When the iPhone 5S came out with Touch ID, I was impressed with the gated community imagery of its “secure enclave” on the A7 chip that Apple said housed your precious fingerprint data. Never in the cloud was the Apple equivalent of Google’s “ Don’t be evil,” and the idea of biometric data residing only on a user’s device was reassuring as the cloud appeared to be less secure every day. But as with gated communities, there is a cost associated with this sequestration. Your fingerprint can only authenticate what Apple allows it to—you are locked into the speed of innovation of the iOS platform.
Given the reliable improvement of Apple’s platforms and their huge footprint at the high-end of the mobile market, its customers have not seemed overly concerned about this lock-in, but perhaps they should be. The general trend in the digital world is towards open standards, albeit with significant eddies of proprietary platforms motivated by big players like Apple. In the world of electronic payments, this openness has been mischaracterized as less secure than proprietary alternatives and it is this misperception that Apple has so far successfully played upon with Touch ID.
The FIDO Alliance is based on the simple idea that a user can authenticate to their own device and then use public key encryption to authenticate to the network. PKE is very strong encryption (though NSA shenanigans have raised concern about back doors) and, like Apple’s scheme, does not involve biometric data itself residing in the cloud. The great advantage of using a public standard is that it opens up an entire world of authentication options for users. The FIDO standard is one standard for all of the existing methods of authentication and new ones as they emerge. In a recent conversation with Phillip Dunkelberger, President and CEO of Nok Nok Labs (the FIDO founding company which wrote the standard), he described the “handshake” between a device and a site or app on a network. In effect, each device has an inventory of authentication capabilities, from passwords to biometrics to crazy new things like inaudible sound waves, and each network, site or app has authentication requirements. that can be mediated by the FIDO protocols.
“In the market, you can have a lot of standards, but deployment wins,” Dunkelberger says in the video below. “Ultimately when people start using this, they’re not only going to find that they solve today’s problems—they are a building block for a better way of doing things long-term, like the internet of things.” This reference to the IoT is critical, because it is the profusion of devices of all kinds that makes current security methods progressively less secure as the number of addressable internet node multiplies. Think of how many devices you log in to now as opposed to a decade ago. Now project that growth, exponentially, into the future and it becomes clear that a robust alternative to “123456″ is needed. Like much else now in the digital world, it is sheer scale that will make solutions like FIDO’s increasingly attractive as we go from managing comprehensible numbers of devices, accounts and data sources to matrices that can only be manipulated programatically.
FIDO is shaping up to be the everyone but Apple club, with Samsung now joining Google, Microsoft, BlackBerry, MasterCard, Discover and RSA and a host of smaller suppliers. Dunkelberger explained to me that Apple could easily join at any time if it decides that the open approach is more beneficial to its long-term interests. Authentec, the fingerprint sensor company that Apple bought to power Touch ID, was involved in the early FIDO discussions and its solutions are apparently in no way incompatible with these new standards.
As far as Samsung’s adoption of PayPal mobile payments go, it is making a clear bet that Apple’s staggering number of iTunes accounts will not be as translatable into general commerce as PayPal’s more diverse model. PayPal claims to have had 143 million active accounts responsible for $27 billion in mobile payments alone in 2013. A comparable estimate by Horace Dediu of Asymco shows Apple with 575 million active iTunes accounts worth $23 billion in total (desktop and mobile) 2013 revenues. When consumers think of iTunes they think of buying media and apps. When they think of PayPal, they think of buying everything (usually on eBay.) Samsung’s gamble is that a more open system linked to a more widely-accepted form of general payment will be the winning combination.
That all being said, Samsung’s solution has to work reliably and consistently and FIDO’s authentication has to prove as uncrackable as it claims for this to all add up to a major win for Samsung over Apple. Touch ID has not been equally reliable for all users and Apple has (wisely) been slow to roll out more things that you can buy with it beyond iTunes purchases until, I expect, it irons out some of the kinks in the system.
Is the Galaxy S5 the design slam dunk that Samsung has been hyping? I’m not so sure. But the integration of fingerprint authentication with PayPal and FIDO could be the standout feature. Do I need a heart rate monitor built into my phones (as the S5 has)? I don’t think so. Do I want to be able to use it for shopping everywhere instead of my credit card? Absolutely.
A hands-on demo of the Samsung Galaxy S5 from TechnoBuffalo
Bonus Round: check out the color of the blue S5 and compare it to the lighter blue of the PayPal logo (see image above). Photoshop reads both as PMS 647. I say the new couple made a color pact in their Between app!
– – – – – – – – – – – – – – – – – – – –