Access using Apple Wallet
In Apple Wallet on supported iPhone and Apple Watch devices, users can store keys to their homes, cars and hotel rooms. They can even store corporate badges and student ID cards. When a user arrives at a door, the right key is automatically presented, allowing them to enter with just a tap using Near Field Communication (NFC).
User convenience
When a key, pass, student ID card or corporate badge is added to Apple Wallet, Express Mode is turned on by default. Cards in Express Mode interact with accepting terminals without Face ID, Touch ID, passcode authentication, or double-clicking the side button on Apple Watch. To disable this feature, users can turn off Express Mode by tapping the More button on the front of the card in Apple Wallet. To turn Express Mode back on, they must use Face ID, Touch ID or a passcode.
Privacy and security
Keys in Apple Wallet take full advantage of the privacy and security built into iPhone and Apple Watch. When or where a person uses their keys in Apple Wallet is never shared with Apple or stored on Apple servers, and credentials are securely stored inside the Secure Element (SE) of supported devices. The SE hosts specially designed applets to securely manage and store access keys, ensuring that keys can’t be extracted.
Before provisioning any access keys, a user must be signed in to their iCloud account on a compatible iPhone and have two-factor authentication turned on for their iCloud account, with the exception of a student ID, which doesn’t require two-factor authentication to be turned on.
When a user initiates the provisioning process, similar steps to those involved in credit and debit card provisioning take place, such as link and provisioning. During a transaction, the reader communicates with the Secure Element through the Near Field Communication (NFC) controller using an established secure channel.
The number of devices, including iPhone and Apple Watch, that can be provisioned with an access key is defined and controlled by each partner and can vary from one partner to another. Such an approach allows each partner to have control over the maximum number of provisioned access keys per device type to suit their specific needs. For this purpose, Apple supplies partners with device type and anonymised device identifiers. Identifiers are different for every partner for privacy and security reasons.
Keys can be disabled or removed by:
Erasing the device remotely with Find My
Enabling Lost Mode with Find My
Receiving a mobile device management (MDM) remote wipe command
Removing all cards from their Apple ID account page
Removing all cards from iCloud.com
Removing all cards from Apple Wallet
Removing the card in the issuer’s app
In iOS 15.4 or later, when a user double-clicks the side button on an iPhone with Face ID or double-clicks the Home button on an iPhone with Touch ID, their passes and access key details aren’t displayed until they authenticate to the device. Either Face ID, Touch ID or passcode authentication is required before pass-specific information, including hotel booking details, are displayed in Apple Wallet.