# Hardware-protected keys
# About hardware-protected keys
In addition to dynamically generated software keys, you can use hardware-protected keys to strengthen proof-of-possession and maximise device security.
When using this feature, it is improbable that an attacker will be able to obtain the keys stored in the secure hardware on a device and then use them outside the device; without breaking the device on a hardware level.
# How do hardware-protected keys work?
Hardware-protected keys are stored in hardware, typically on a trusted execution environment (TEE) or trusted platform module (TPM), and will never leave the hardware. As a result, all operations that require the private key are performed in the secure hardware on the device.
Even rooted devices safeguard the hardware-protected keys from extraction, as keys can not be cloned on a rooted device. It is therefore unlikely that an attacker would be able to steal a key stored in the secure hardware and use it outside of the device.
The usual flow for activation of a hardware-protected key is as follows:
- The Encap SDK generates a key pair in the secure hardware.
- The secure hardware returns the public hardware-protected key to the Encap SDK.
- The Encap SDK returns this key to the Encap server over the secure channel in the
- The Encap server stores the public hardware-protected key on the registration, and this key will be used to verify all future authentications.
Devices activated with hardware-protected keys conduct an additional security check for every authentication. The sequence is as follows:
- The Encap SDK will sign the authentication challenge, received from the Encap server in the
start authenticationrequest, with the hardware-protected private key.
- The signed challenge is passed back to the Encap server in the
finish authenticationrequest over the secure channel.
- The signed challenge is verified server-side with the hardware-protected public key.
# Supported devices
Hardware-protected keys are supported on:
- Android 6 (most devices)
- Android 7 or later (all devices)
- iOS 10 or later (devices with Secure Enclave (opens new window))
Devices that do not support hardware-protected keys will only use software keys.
# Configuration options
Support for hardware-protected keys is enabled by default.
We offer two different validation strategies. Both strategies use the Encap server to validate the hardware signature:
| ||The operation will fail if the hardware signature is invalid.|
| ||The operation will not fail if the hardware signature is invalid. You must evaluate the result and determine what action to take.|
The result of the hardware signature validation is always returned as a part of the following risk attributes:
# Make changes to your configuration
The validation strategy is determined by the hardware-protected key validation strategy parameter (
hwKeyValidationStrategy) in your application configuration.
To make configuration changes in relation to hardware-protected keys, send your preferences to us at email@example.com. We will update your application configuration for you.