On the weekend, I finally had a chance to load my three credit cards into Apple Pay. The process was slick and painless, as you’d expect from Apple: a simple snap of the credit card auto-populated the data on my phone. Only the card security code (three or four digits long) is entered by hand.
Below, I’ll explore the security mechanisms I encountered during the Apple Pay enrollment process, as well those in place for making actual payments.
Enrollment with one-time passwords
One of the inherent risks in any authentication solution is the initial onboarding or identity proofing process. In many deployments, a simple username and password offer greater security than a hardware token does because the identity proofing intended to pair the token with a specific user is not sufficiently rigorous.