GlobalPlatform made simple guide: Mobile ID
What is mobile ID?
The ubiquity of mobile devices enables the mobile handset to replace identity cards, papers and other means of identification by generating credentials on the handset remotely or deriving them from existing physical ID cards to act as a convenient, practical and cost-efficient digital alternative. This enables users to carry out identification, authentication, payments and even digital signatures securely using a mobile phone. The handset also makes an ideal vehicle for multi-factor authentication, with its ability to incorporate biometric readers and perform out-of-band messaging.
Where is mobile ID used?
Mobile ID provides benefits for both government and commercial users. It is already in use in a number of countries as a government issued application for providing identification and facilitating access to government services and programs, as well as for government to government applications. It is the proven security, reliability, efficiency and flexibility of mobile ID within the government sector that has inspired a number of commercial applications too, in areas like healthcare, finance, retail and enterprise.
What does mobile ID do?
Mobile ID applications are mainly used for authentication purposes. The ID on the mobile device can be used to perform verification locally or remotely. Authentication use cases can be split into three different categories:
- Authentication to another local application, on the same device, for example a Bring Your Own Device (BYOD) container service.
- Authentication to another mobile device or terminal, for example building access.
- Authentication to a remote server or cloud service, for example FIDO or GSMA Mobile Connect.
Where multi-factor and out-of-band scenarios are required, the keys to prove the second or multiple factors can be held within GlobalPlatform secure components. This allows keys to be stored and used in secure boundaries.
What is GlobalPlatform’s role in this market?
As a provider of open technical specifications for platforms of secure components, GlobalPlatform’s role is to promote the interoperability and security of those platforms where mobile ID applications are deployed.
Mobile ID credentials can be managed and implemented in the standardized platforms SE or TEE using GlobalPlatform Specifications. GlobalPlatform Messaging Specifications for Trusted Service Management is also relevant to the mobile ID community, as it details how stakeholders can connect their backend systems to the secure components SE / TEE on devices and any other actor in the ecosystem.
How secure is mobile ID?
The security level of a mobile ID implementation in a mobile device can vary according to market need but in all cases depends on three functionalities: storage, user input/output, and processing. Using the TEE or SE for credential storage, the TEE for data entry and display, and the TEE or SE for processing of services can avoid many potential threats of attack and establish higher levels of security assurance.
Using GlobalPlatform TEE technology offers a balanced combination of processing power, storage and security, while GlobalPlatform SE technology provides strong physical isolation and the tamper proof environment adds additional security where needed. Typically, platforms for ID applications have to fulfil security requirements that are assured by certification schemes. The mobile device is increasingly secure thanks to the SE and TEE, which are typically certified against Common Criteria or the Federal Information Processing Standards (FIPS).
How do GlobalPlatform Specifications support the mobile ID market?
GlobalPlatform’s infrastructure robustly safeguards the security and integrity of services deployed on a platform alongside services from other providers. When using GlobalPlatform technology, service providers of mobile ID applications know that only they can control their services. In addition, their service poses no threat to, nor is at risk from, any service sharing the platform. Any device that has been certified as ‘compliant’ with GlobalPlatform Specifications carries the assurance that the service will behave in the correct way, regardless of the device it is deployed on.
GlobalPlatform Specifications also provide the building blocks for the derivation method of credentials, whether done remotely using a backend system or locally using an ID card and NFC.
Using GlobalPlatform standardized secure technologies for mobile ID shortens time to market but at the same time provides frameworks, configurations, profiles, protocols, interfaces and standards, assuring interoperability and consistency and enabling implementation of end-to-end solutions in a secure and certified way.
For more information about how GlobalPlatform supports mobile ID, including detailed information about different platform implementation scenario options, download the new white paper, entitled ‘Mobile ID: Realization of Mobile Identity Solutions by GlobalPlatform Technologies’ free of charge from the GlobalPlatform website.