GlobalPlatform adds biometric authentication in Trusted Execution Environment to APIs
GlobalPlatform has announced the the functionality of its Trusted User Interface (Trusted UI) APIs has been extended to support developer integration of in-app biometric authentication secured in the device’s Trusted Execution Environment (TEE) hardware.
A Trusted UI is a specific mode granting control of the device’s user interface to the TEE, which prevents malware from capturing sensitive information or running transactions without explicit user consent.
“Sensitive digital services like banking, payments, document signing and access control require strong user authentication and user consent, and to do this users must interact with their device,” comments Gil Bernabeu, Technical Director of GlobalPlatform. “Our work in collaboration with FIDO Alliance and IFAA on the Trusted UI moves away from PINs and passwords processed in the vulnerable device OS, to a world where all sensitive user interactions are secured in the hardware of the TEE. These new APIs enable trusted applications to leverage the device’s biometric sensors, while staying fully isolated from the device OS, and trusted user interactions to be fully configured to the specific needs of each digital service.”
In addition to allowing secure integration of biometric authentication into apps, GlobalPlatform’s TUI Extension: TEE Biometrics API and TEE Trusted User Interface Low-level API increase functionality and add options for configuration of authentication screens and other trusted transaction, according to the announcement.
This is a big step forward for the TEE specifications,” adds Gil. “The market is demanding stronger authentication and biometric technology has come to the fore as it supports security and convenience. But insecure biometrics will not be tolerated by service providers and consumers. This is why the TEE is so important. It is the only technology that brings trust to the device user interface and, as such, is fundamental to the future of secure digital services and strong user authentication.”
Once the industry association publishes a new module for its TEE Protection Profile, it will be possible to certify products as meeting the requirements of the GlobalPlatform TEE Certification Scheme, which it says is the final step to enable biometrics to be integrated with TEE specifications.
The use of restricted operating environments like the TEE is part of the FIDO Alliance’s Level 2 Authenticator certification, which was announced in March.