# MobileID InApp hardware-protected keys
In addition to dynamically generated software keys, you can use hardware-protected keys to strengthen proof-of-possession and maximise device security.
When using this feature, the probability that an attacker will be able to obtain the keys that are stored in the secure hardware on a device, and hence use them outside the device without breaking the device on a hardware level, is very low.
# How do hardware-protected keys work?
Hardware-protected keys are stored in hardware, typically on a trusted execution environment (TEE) or trusted platform module (TPM) and will never leave the hardware. As a result, all operations that require the private key are performed in the secure hardware on the device.
Even a rooted device still protects the hardware keys from extraction, and cloning of a key can not be performed on a rooted device. It is therefore very unlikely that an attacker is able to steal a key stored in the secure hardware and use it outside the device.
The usual flow for activation of a hardware-protected key is as follows:
- The Encap SDK generates a key pair in the secure hardware.
- The secure hardware returns the public hardware (HW) key to the Encap SDK.
- The Encap SDK returns this key to the Encap server over the secure channel in the
- The Encap server stores the public HW key on the registration, and this key will be used to verify all future authentications.
For a device that is activated with HW keys, an additional security check will be executed for each authentication. The sequence is as follows:
- The Encap SDK will sign the authentication challenge, received from the Encap server in the
start authenticationrequest, with the hardware-protected private key.
- The signed challenge is passed back to the Encap server in the
finish authenticationrequest over the secure channel.
- The signed challenge is verified on the server side with the HW public key.
# Supported devices
Hardware-protected keys are supported on
- Android 6 (most devices)
- Android 7 or later (all devices)
- iOS 10 or later (devices with Secure Enclave (opens new window))
Devices that do not support hardware-protected keys will only use software keys.
# Configuration options
Support for hardware-protected keys is enabled by default. We offer two different validation strategies,
SUPPORTED (default) and
RISK_PARAMS. With both strategies, the hardware signature is validated on the Encap server.
SUPPORTED, the operation will fail if the hardware signature is invalid.
RISK_PARAMS, the operation will not fail if the hardware signature is invalid but will return the
hw_key_server_resultrisk attributes, to enable you to evaluate the result and take action.
Contact Signicat at email@example.com if you would like us to make configuration changes to your MobileID InApp hardware-protected keys.
# Further reading
- MobileID InApp overview
- Mobile app-initiated operations via OIDC
- Mobile app-initiated operations: URL construction
- Mobile app-initiated operations: Finalise operation
- Backend-initiated operations via OIDC
- Backend-initiated operations: URL construction
- Backend-initiated operations: Finalise operation
- MobileID InApp upgrade guide
- MobileID InApp release notes