Mobile device security

Apple’s Secure Enclave and ARM’s TrustZone and Google Titan M are all implementations of a Trusted Execution Environment (TEE), an isolated secure environments within the mobile phone. But device security has a lot more to it. From the lock screen to the secure storage of your biometric data on those security chips, from the biometric sensors to the hardware-backed Keystore on Android and the Keychain on iOS, these are all implemented to make the identification and authentication of the phone's owner as secure and as smooth as possible. Your biometric data and the private key, never leaves the device, it cannot be tampered with in transit. It is not even directly accessible for the authentication app. The authentication app relies on the device, and uses these features and capabilities for passwordless authentication. Applications build on these and ideally provide a hardened, tamper-proof extension of these services to third parties like you.

The principles behind these extensions rely on asymmetric cryptography, where the private key remains protected on the mobile device and its public counterpart is used on the server side to verify the authentication signature. This way no passwords or password hashes are ever transferred over networks; the private key never leaves the device and even if the device is stolen it cannot be used to steal your fingerprints for instance. Even if the public keys are stolen, they are of little value as at best people could use their mobiles to sign in to the cyber criminals protected back-ends with their mobiles if they chose to do so.