Android Pay and Smart Lock Observations

[David Loring]

Using Smart Lock with On-body detection and Trusted Places in conjunction with Android pay, this is what I have observed.

The only kind of unlock Android Pay will accept as legit is a "traditional" unlock through a pattern, PIN, or password.

Putting my Smart UNlocked phone against the terminal seems to result in being kicked to the lockscreen where I must enter my pattern.

Sometimes I am treated to an additional screen similar in design to the password challenge screen you get when changing security settings that needs to be completed before payment happens.

All in all not a marked improvement over Wallet, which I also found ornery if you didn't launch and unlock it before payment. But, unlike Wallet, I don't find I need to select credit/debit with the nfc still in contact for things to work. Baby steps.

What are other peoples experiences with differing types of unlocks and Android Pay? What's the most efficient way to "pre-authorize" so that you don't have to do anything when you tap your phone to the terminal?

Posted via the Android Central App

 

[B. Diddy]

Welcome to Android Central! I've made 3 or 4 payments so far on my Zenfone 2, and it's been relatively smooth. I keep Smart Lock on, which uses my Zenwatch as the Trusted Device. When I tap the phone to the payment machine, The Android Pay app opens, and then I have to enter my unlock pattern. What I've found is that I've had to enter it 2 or 3 times. Then I'll hear the successful payment tone, and then I have to press the Credit button on the payment machine.

So the only minor glitch I've experienced is having to enter the unlock pattern more than once.

 

[mrmoe110]

I'm using smart lock too with my 360 and Bluetooth headset. For me the Android Pay process has went like this: unlock phone and hold it to scanner, enter my unlock code, and then hold it to the scanner again, select credit on the scanner display (if I select debit I'd have to put in my pin), check mark comes up on phone. Done! I've seen people that say you don't have to tap the scanner that second time if you're not using smart lock or trusted devices but I haven't tried that. Overall, I'd say it's a good start and more businesses are getting the scanners every day. People complaining in the Play Store and other places just need to calm down and realize updates will come that will smooth things out.

Posted via the Android Central App

 

[supert1020]

It works with fingerprint unlock with the Galaxy S6

Posted via the Android Central App

 

[thNoz]

Using Android Pay with Smart Lock is a pain in the ***. I have my Moto 360 set as a trusted device, so the X is unlocked when the watch is connected. Phone "unlocked" with Smart Lock...tap to pay...request enter lock PIN...tap again...fail...angry beep...enter pin again...fail...angry beep...give up in embarrassment and use card to pay.

Android Pay works fine with Smart Lock off and using the required screen lock. However, I hate keeping my phone locked all the time just so I can use Pay a few times a week. Can't disable the lock, because it will wipe out the card info. Android Pay should be reconfigured to work seamlessly with Smart Lock. Otherwise, it's more hassle than it's worth if you use your phone a lot through the day for other reasons than buying something. If the phone is unlocked with a trusted device, that should be good enough for Pay to work without entering a damned PIN three more times. If Google doesn't bring this ability to the app, then I will probably just quit using it altogether. Where's the convenience of Smart Lock if it really doesn't unlock the full capability of the device?

 

[B. Diddy]

I wonder why you're getting the fails? I use Smart Lock with my Zenwatch, and when I tap, I have to enter my PIN, typically twice, and then I tap again and it works. There was just an update to Android Pay, so I wonder if that addresses that problem.

 

[mrmoe110]

Somebody in another thread suggested that having to put in your lock code twice when using smart lock with a trusted device might be a feature and not a bug. The theory is that someone could get ahold of your phone and still be close enough to your trusted device to keep the screen unlocked. So they make you verify twice as an extra layer of security. I've never used Pay when I didn't have a trusted device connected but I saw someone else say you only have to put in your code once when that's the case.

Posted via the Android Central App

 

[Paul Rezendes]

I also have smart lock on and use my Zenwatch as the trusted device. My Note 5 has the same double protection when I use Android Pay now. I think the "feature" may just be what is happening here.

 

[Vance14]

I am in agreement that forcing us to have to use a screenlock in order to use Android Pay is enough (and annoying). That ensures that I am in a trusted environment. Having to enter the PIN/pattern again is ridiculous.

 

[B. Diddy]

I am in agreement that forcing us to have to use a screenlock in order to use Android Pay is enough (and annoying). That ensures that I am in a trusted environment. Having to enter the PIN/pattern again is ridiculous.

But suppose you have Smart Lock on, using an Android Wear watch as a trusted device. Someone steals your phone and your watch. Now they can use Android Pay to go buy that 256" 16K UltraMegaSuperHD TV they always wanted. But if you require the user to enter the PIN or pattern again at the point of sale, then you prevent that from happening.

I think when it comes to something as sensitive as your credit cards on your phone (which I think is much easier to lose or get stolen than your wallet), the extra layer of security is welcome.

 

[Vance14]

But suppose you have Smart Lock on, using an Android Wear watch as a trusted device. Someone steals your phone and your watch. Now they can use Android Pay to go buy that 256" 16K UltraMegaSuperHD TV they always wanted. But if you require the user to enter the PIN or pattern again at the point of sale, then you prevent that from happening.

I think when it comes to something as sensitive as your credit cards on your phone (which I think is much easier to lose or get stolen than your wallet), the extra layer of security is welcome.

I think the extra layer of security should be available as an option, but not required. The odds of somebody getting my phone AND my watch are pretty slim and if that unlikely event happens, I call my bank and cancel the card. You can argue for greater and greater levels of security and always be able to say "but this is even MORE secure!", but each level comes with an inconvenience, and I should be able to determine what that level is (after at least one level of security is baked in).

 

[B. Diddy]

I think the extra layer of security should be available as an option, but not required. The odds of somebody getting my phone AND my watch are pretty slim and if that unlikely event happens, I call my bank and cancel the card. You can argue for greater and greater levels of security and always be able to say "but this is even MORE secure!", but each level comes with an inconvenience, and I should be able to determine what that level is (after at least one level of security is baked in).

That's a reasonable suggestion, and maybe Google will modify things in the future--you should give them that feedback. One thing to consider, though, is that it's usually power users (or more tech savvy users) who will actually check settings and modify them. I'd venture to say that the great majority of people will just use it with whatever default there is, and therefore the challenge is to figure out what the default should be. Do you err on the side of security or convenience?

 

[Vance14]

That's a reasonable suggestion, and maybe Google will modify things in the future--you should give them that feedback. One thing to consider, though, is that it's usually power users (or more tech savvy users) who will actually check settings and modify them. I'd venture to say that the great majority of people will just use it with whatever default there is, and therefore the challenge is to figure out what the default should be. Do you err on the side of security or convenience?

There may be some bank requirements, but ultimately, Google wants people to use the app. They are in it for the traffic to get data signals and if people don't use the app because it is no more convenient than getting a credit card out (and with this set up, it really isn't any easier) then they gain nothing. I have sent in some feedback, but my guess is that they will stick with the higher security and they will find people just not using it in the end.

 

[dvdmon]

At some point Google needs to provide some flexibility. Someone can easily grab your physical card and go charging with it. Do you really think someone is going to be using your phone to charge stuff within 30 feet of you after having swiped it? I think that would be extremely unlikely. Even so, they could at the very least limit it to NFC Smart lock, which would require you to be within less than an inch from the NFC tag. I guess there's always the possibility you could knock the person out and take both their phone and their NFC tag, but at some point you have to give people the option for daily convenience over an extremely rare risk...

 

[B. Diddy]

I agree, and I would encourage you as well to give your feedback to Google, so that perhaps they'll add that functionality in future updates. Keep in mind, though, that physical credit cards do have some safeguards against fraudulent use, like requiring a signature (which, granted, often isn't checked by the cashier) or having an identification photo of the real credit card holder on it.

 

[dvdmon]

I agree, and I would encourage you as well to give your feedback to Google, so that perhaps they'll add that functionality in future updates. Keep in mind, though, that physical credit cards do have some safeguards against fraudulent use, like requiring a signature (which, granted, often isn't checked by the cashier) or having an identification photo of the real credit card holder on it.

Just posted a review on Google Play...

As for signatures on cards, I've been signing with scribbles for the last couple of years (which don't match what's on my card) and have never been asked about it. A friend has "Ask for ID" on his and only once in years has been asked. I think when Chip and PIN becomes common here in the US, that will make a difference because it will require a PIN code, but I still think there are reasonable ways around this if you don't want to bother with that...

 

[meskin84]

Welcome to Android Central! I've made 3 or 4 payments so far on my Zenfone 2, and it's been relatively smooth. I keep Smart Lock on, which uses my Zenwatch as the Trusted Device. When I tap the phone to the payment machine, The Android Pay app opens, and then I have to enter my unlock pattern. What I've found is that I've had to enter it 2 or 3 times. Then I'll hear the successful payment tone, and then I have to press the Credit button on the payment machine.

So the only minor glitch I've experienced is having to enter the unlock pattern more than once.

This is the exact problem I am experiencing and it is a far cry from being as convenient as Google Wallet was. I'm not one of those, "Two apps?! Why?!?! Screw this, I'm getting an iPhone!" people, but it has made me wonder why they would elect for such a difficult process. Here is my comparison of the two processes.

Google Wallet
1. Open Wallet App
2. Unlock
3. Place on terminal to charge

Android Pay
1. Unlock phone
2. Place phone on terminal, Android app launches
3. Enter pin
4. Confirm pin
5. Confirm pin
6. Confirm pin again?
7. Place phone back on terminal to process payment

How did this become better than using one app for two purposes? I'm not irate over it, but entering my pin 3 or 4 times, then placing the phone back on the terminal seems unnecessary.

Posted via the Android Central App

 

[icwhatudidthere]

It could be as simple as CYA for Google and the card companies anticipating an issue. Imagine the backlash on the headline, "OMG my kids distracted me and someone used my phone to pay for stuff."

Don't forget there are various smart lock options available too. It could be they just decided no smart lock options are secure enough considering you can also disable locking just by keeping the phone in your hand or being at a specific location and who knows how granular that location is.

 

[B. Diddy]

Android Pay
1. Unlock phone
2. Place phone on terminal, Android app launches
3. Enter pin
4. Confirm pin
5. Confirm pin
6. Confirm pin again?
7. Place phone back on terminal to process payment

I agree that the multiple PIN or pattern entry can be a bit annoying, but I would note that if you're using Smart Lock, you don't have to unlock the phone first, because it should already be unlocked (assuming it's connected to a Trusted Device on your person). So that eliminates step #1.

I've never tried it without Smart Lock--but without Smart Lock, does it still require you to enter your PIN again in Android Pay after you've already unlocked the screen initially?

 

[jimsis]

I agree that wallet was more convenient.

I'd be fine with unlocking the Android Pay app when I open it to avoid the pin/pattern 2 or 3 times problem. Got to think Android Pay is being laughed at compared to Apple Pay, especially when Wallet worked reasonable well and was first.

Wonder if the finger print sensor on the 5X and 6P will handle the smart lock feature any better, or will this make smart lock redundant.