Enhancing FIDO Solutions with TEE technology

Alexander Summerer, Technology Consultant, Mobile Security, G&D

FIDO is a new authentication scheme which offers the potential to revolutionize the user authentication in various networks towards online services. Today’s online authentication is a mess because most of the websites require a username and password from the user to grant access. Given the fact that a single user has today typically dozens of user accounts and uses these on a daily basis the user experience is heavily suffering. On the other hand online services are getting frequently hacked and passwords are getting compromised which is a major security concern. However, the new FIDO scheme allows implementing online authentication securely and in a convenient way by introducing new user verification schemes like biometric verification e.g. the fingerprint of the end-user. Additionally, FIDO provides strong authentication by introducing two-factor authentication with tokens, cards or with the TEE. Since FIDO is standardized by the FIDO Alliance it can be easily integrated into online services and FIDO components from different vendors.

In many cases the weakest link in the user online authentication scenario is the client device. In FIDO the user needs to be validated towards the client device. Once the user is validated the client device creates a signature with the FIDO private key which can be validated by the FIDO server in the backend. This paradigm implies several risks, e.g. if the user validation process gets compromised the client device will potentially create valid signatures with the FIDO private key on behalf of an attacker. Or, if the FIDO credentials get compromised an attacker can use these even on any other device to access the user’s online service. The TEE mitigates these risks significantly by providing an isolated execution platform on the device which allows performing secure user validation, secure key storage and secure creation of signatures in a single application protected by hardware-backed security. Moreover, the TEE is managed remotely via TEE-TSM (trusted service manager). This will ensure that only trustworthy software can be installed on the device at any given point during the device lifecycle. Additionally, the TSM model facilities the change of an end-user device by offering a migration process of the FIDO credentials.

The combination of FIDO authentication and the GlobalPlatform TEE as underlying platform technology increases the security tremendously while improving the user experience at the same time. The standardization efforts of the FIDO Alliance and GlobalPlatform assure consistency and interoperability among the systems and products which allows usage across different online services in the highly heterogeneous environment of the internet. Besides improvement of the user experience and security, it also saves costs, drives innovation and enables many new services, e.g. governmental and financial online services which often require strong authentication schemes.


Welcome coffee, lunch and the cocktail reception are included in the below fees.

GlobalPlatform Members

  • Members can send up to 3 employees to the event for free.
  • US$99 (700 CNY) for each additional member.


Registration fee is:

(2100 CNY)

A TEE instructor-led training session is available 13-14 September. The course, given in English language, is open to both GlobalPlatform members and non-members. It is designed to improve knowledge of the TEE specifications, efficient implementation, and effective use a TEE environment.  Learn more


Quick Links
Connect With Us

Become a member of GlobalPlatform. Influence the future direction of TEE Specifications, learn and discuss mobile security best practice solutions, enhance your global positioning within the TEE ecosystem. Join now.

Privacy / Use Policy | Copyright © 2018 GlobalPlatform. All Rights Reserved