Access using Apple Wallet
In Apple Wallet on supported iPhone and Apple Watch devices, users can store multiple types of keys. When a user arrives at a door, the right key can even be automatically presented (if Express Mode is supported by that key and was turned on), allowing them to enter with just a tap using Near Field Communication (NFC).
User convenience
Express Mode
When a key is added to Apple Wallet, Express Mode is turned on by default. Keys in Express Mode interact with accepting terminals without Face ID, Touch ID, passcode authentication, or double-clicking of the side button on Apple Watch. To disable this feature, users can turn off Express Mode by tapping the More button on the front of the card representing key in Apple Wallet. To turn Express Mode back on, they must use Face ID, Touch ID or a passcode.
Key sharing
In iOS 16 or later, key sharing is available for certain key types.
Users can share access to a key (for example a house or car key), with security and privacy enforced from the key owner’s iPhone to the invited key recipient’s iPhone. Keys are shared by tapping the share icon of the key in Apple Wallet and can be shared using methods that appear in the Share Sheet. Key owners can also choose the access level and valid time period for each shared key. The key owner has visibility over all the keys they shared and can revoke access for any shared key, including any instances where the key is shared again to another user by the initial key recipient.
The key sharing invitation is stored anonymised and secured by a dedicated server inside a mailbox, and protected with an AES 128 or 256 encryption key. The encryption key is never shared with the server or anyone, apart from intended key recipient, and only the key recipient can decrypt the invitation. Upon mailbox creation, the key owner’s iPhone provides a device claim that’s bound only to that mailbox by the server. When the key recipient’s iPhone initially accesses this mailbox, it presents a key recipient device claim. Only the key owner and key recipient iPhone devices that present valid device claims can access that mailbox. Each iPhone device claim has its unique UUID value as per RFC4122.
As an additional security measure, the key owner can turn on a 6-digit, randomly generated activation code that’s required on the key recipient’s iPhone. The number of code retries is enforced and validated either by the key owner or partner server. This activation code must be communicated by the key owner to the key recipient, and the key recipient must present that code when prompted for its validation either by the key owner or partner server.
After an invitation is redeemed by the key recipient, it’s immediately wiped from the server by the receiving iPhone. The mailbox containing the key-sharing invitation also has a limited lifetime, which is set upon mailbox creation and enforced by the server. Any expired invitations are automatically erased by the server.
Depending on the original manufacturer, keys may also be shared with non-Apple devices; however, their method of securing key sharing may be different to Apple’s.
Privacy and security
Access keys in Apple Wallet take full advantage of the privacy and security built into iPhone and Apple Watch. When or where a person uses their keys in Apple Wallet is never shared with Apple or stored on Apple servers, and credentials are securely stored inside the Secure Element of supported devices. The Secure Element hosts specially designed applets to securely manage keys, ensuring that they can’t be extracted or leaked.
Before provisioning any keys, a user must be signed in to their iCloud account on a compatible iPhone and have two-factor authentication turned on for their iCloud account, with the exception of a student ID (which doesn’t require two-factor authentication to be turned on).
When a user initiates the provisioning process, similar steps as those involved in credit and debit card provisioning take place, such as a link and provisioning. During a transaction, the reader communicates with the Secure Element through the Near Field Communication (NFC) controller using an established secure channel.
The number of devices, including iPhone and Apple Watch, that can be provisioned with a key is defined and controlled by each partner and can vary from one partner to another. Such an approach allows each partner to have control over the maximum number of provisioned keys per device type to suit their specific needs. For this purpose, Apple supplies partners with device type and anonymised device identifiers. Identifiers are different for every partner for privacy and security reasons.
Partners also receive user identifiers, which are anonymised and unique per partner, that let them securely bind the key to the user iCloud account during the initial provisioning. This measure protects keys from being provisioned by a different user in case a user account created with the partner was compromised, for example, in an account takeover attack scenario.
Keys can be disabled or removed by:
Erasing the device remotely with Find My
Enabling Lost Mode with Find My
Receiving a mobile device management (MDM) remote wipe command
Removing all cards from their Apple ID account page
Removing all cards from iCloud.com
Removing all cards from Apple Wallet
Removing the card in the issuer’s app
In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID or passcode authentication is required before pass-specific information, including hotel booking details, are displayed in Apple Wallet.