GlobalPlatform, the standard for secure digital services and devices, has extended the functionality of its Trusted User Interface (Trusted UI) APIs. Service providers and application developers now have a direct path to provide users with a richer and safer authentication experience and, importantly, to offer trusted biometric authentication that is secured in the hardware of the device’s Trusted Execution Environment (TEE).
“Sensitive digital services like banking, payments, document signing and access control require strong user authentication and user consent, and to do this users must interact with their device,” comments Gil Bernabeu, Technical Director of GlobalPlatform. “Our work in collaboration with FIDO Alliance and IFAA on the Trusted UI moves away from PINs and passwords processed in the vulnerable device OS, to a world where all sensitive user interactions are secured in the hardware of the TEE. These new APIs enable trusted applications to leverage the device’s biometric sensors, while staying fully isolated from the device OS, and trusted user interactions to be fully configured to the specific needs of each digital service.”
A Trusted UI is a specific mode in which the user interface of a device is controlled solely by the TEE – an isolated area in the main processor of a smartphone (or any connected device) that ensures sensitive data is stored, processed and protected in a trusted environment. The Trusted UI ensures that malware running in the device cannot tamper with displayed messages, capture secret information displayed to the user and intercept PINs or passwords entered by the user, as in a “PIN on Glass” scenario. It also, prevents malware from running transactions without explicit user consent.
The TUI Extension: TEE Biometrics API and the TEE Trusted User Interface Low-level API open up more functionality and options for the configuration of authentication screens and other trusted interactions, in addition to the secure integration of biometric authentication into apps.
“This is a big step forward for the TEE specifications,” adds Gil. “The market is demanding stronger authentication and biometric technology has come to the fore as it supports security and convenience. But insecure biometrics will not be tolerated by service providers and consumers. This is why the TEE is so important. It is the only technology that brings trust to the device user interface and, as such, is fundamental to the future of secure digital services and strong user authentication.”
The final step to integrate biometrics into the TEE specifications will be the publication of a new module for the TEE Protection Profile. This will enable products to be certified as meeting the requirements of the specifications by the GlobalPlatform TEE Certification Scheme.
To download the specification without charge, visit the GlobalPlatform Device Specifications webpages.