GlobalPlatform made simple guide: Mobile ID
What is mobile ID?
The ubiquity of mobile devices enables the mobile handset to replace identity cards, papers and other means of identification by generating credentials
on the handset remotely or deriving them from existing physical ID cards to act as a convenient, practical and cost-efficient digital alternative. This
enables users to carry out identification, authentication, payments and even digital signatures securely using a mobile phone. The handset also makes an
ideal vehicle for multi-factor authentication, with its ability to incorporate biometric readers and perform out-of-band messaging.
Where is mobile ID used?
Mobile ID provides benefits for both government and commercial users. It is already in use in a number of countries as a government issued application
for providing identification and facilitating access to government services and programs, as well as for government to government applications. It is the
proven security, reliability, efficiency and flexibility of mobile ID within the government sector that has inspired a number of commercial applications too,
in areas like healthcare, finance, retail and enterprise.
What does mobile ID do?
Mobile ID applications are mainly used for authentication purposes. The ID on the mobile device can be used to perform verification locally or remotely.
Authentication use cases can be split into three different categories:
- Authentication to another local application, on the same device, for example a Bring Your Own Device (BYOD) container service.
- Authentication to another mobile device or terminal, for example building access.
- Authentication to a remote server or cloud service, for example FIDO or GSMA Mobile Connect.
Where multi-factor and out-of-band scenarios are required, the keys to prove the second or multiple factors can be held within GlobalPlatform secure
components. This allows keys to be stored and used in secure boundaries.
What is GlobalPlatform’s role in this market?
As a provider of open technical specifications for platforms of secure components, GlobalPlatform’s role is to promote the interoperability and security of
those platforms where mobile ID applications are deployed.
Mobile ID credentials can be managed and implemented in the standardized platforms SE or TEE using
GlobalPlatform Specifications. GlobalPlatform Messaging Specifications for
Trusted Service Management is also relevant to the mobile ID community, as it details how stakeholders can connect their backend systems to the
secure components SE / TEE on devices and any other actor in the ecosystem.
How secure is mobile ID?
The security level of a mobile ID implementation in a mobile device can vary according to market need but in all cases depends on three functionalities:
storage, user input/output, and processing. Using the TEE or SE for credential storage, the TEE for data entry and display, and the TEE or SE for
processing of services can avoid many potential threats of attack and establish higher levels of security assurance.
Using GlobalPlatform TEE technology offers a balanced combination of processing power, storage and security, while GlobalPlatform SE technology
provides strong physical isolation and the tamper proof environment adds additional security where needed. Typically, platforms for ID applications have
to fulfil security requirements that are assured by certification schemes. The mobile device is increasingly secure thanks to the SE and TEE, which are
typically certified against Common Criteria or the Federal Information Processing Standards (FIPS).
How do GlobalPlatform Specifications support the mobile ID market?
GlobalPlatform’s infrastructure robustly safeguards the security and integrity of services deployed on a platform alongside services from other providers.
When using GlobalPlatform technology, service providers of mobile ID applications know that only they can control their services. In addition, their service
poses no threat to, nor is at risk from, any service sharing the platform. Any device that has been certified as ‘compliant’ with GlobalPlatform
Specifications carries the assurance that the service will behave in the correct way, regardless of the device it is deployed on.
GlobalPlatform Specifications also provide the building blocks for the derivation method of credentials, whether done remotely using a backend system
or locally using an ID card and NFC.
Using GlobalPlatform standardized secure technologies for mobile ID shortens time to market but at the same time provides frameworks, configurations,
profiles, protocols, interfaces and standards, assuring interoperability and consistency and enabling implementation of end-to-end solutions in a secure
and certified way.
For more information about how GlobalPlatform supports mobile ID, including detailed information about different platform implementation scenario
options, download the white paper, entitled ‘Mobile ID: Realization of Mobile Identity
Solutions by GlobalPlatform Technologies’.
How is the MoU between GlobalPlatform and the FIDO Alliance supporting service providers?
GlobalPlatform and the FIDO (Fast Identity Online) Alliance are working to ease FIDO authenticator development on GlobalPlatform-based secure
component products. This will enable service providers to efficiently incorporate user authentication features – such as voice recognition and biometrics –
as part of their GlobalPlatform-secure deployments.
The FIDO Alliance is making online authentication simpler and stronger by defining open, scalable and interoperable protocols that reduce reliance on
passwords. The joint work initiative brings FIDO authentication to GlobalPlatform Specifications on Secure Elements (SE) and Trusted Execution
Service providers managing applications on GlobalPlatform-compliant secure SE or TEE products will be able to utilize FIDO's leading authentication
functionality, without additional development costs. By combining technical expertise, the associations can promote industry adoption of user
authentication in a commercially viable and user-friendly manner.