December 16, 2020
ZenKey: How Secure Is It?
A Network-Based Identity Solution
Data breaches, identity theft and large-scale fraud are becoming more common. Users need to manage multiple passwords to access digital services securely. The digital economy requires radically new identity management solutions that eliminate passwords and provide seamless user-centric security and privacy controls with high-level of assurances. ZenKey is a joint-venture founded by AT&T, T-Mobile, and Verizon, that provides a highly secure network-based identity solution. ZenKey delivers a frictionless experience with unique fraud signals that only mobile carriers can provide.
The ZenKey identity solution provides a multi-factor authentication and authorization using mobile device and network attributes. It integrates the trusted security attributes of the Subscriber Identity Module (SIM) card with the OpenID Connect1 authentication protocols. An identity solution generally includes four key actors – (1) Users, (2) Identity Providers, (3) Relying Parties, and (4) a Governance Body as shown in the figure above. The Users are entities for which the identity solution provides authentication and authorization. The Identity Providers manage user attributes to validate, process, and assure digital transactions on behalf of Users. The Relying Parties accept user assurances from Identity Providers to allow service access. ZenKey acts as the Governance Body that provides oversight, operating standards, and requirements for the Identity Providers. By integrating different mobile network Identity Providers, ZenKey establishes a seamless identity management experience for both Users and Relying Parties.
ZenKey Security Components
The ZenKey security Root-of-Trust (RoT) starts with the security of the mobile Universal Integrated Circuited Card (UICC). The UICC is a tamper-resistant hardware computing platform with an independent operating system and applications. ZenKey uses privileged, mobile platform-specific APIs to access SIM application attributes running on UICC cards for network attestations. The general-purpose mobile CPU is used to process ZenKey application transactions. Furthermore, all cryptographic operations use mobile platform-specific APIs, and hardware-backed key stores are used on supported devices by default. User trust is established using mobile platform-specific PIN and/or biometric authentication methods.
The security of digital transactions can be mapped using multiple properties such as cryptographic key management, application processing state, hardware support, virtual and physical device properties, communication protocols, industry standards and certifications. We can broadly classify the assurance spectrum into 4 categories:
- Untrusted Execution Environment – A pure-software based solution that performs all cryptographic computation on the hosts operating system. It cannot provide high-assurance levels for identity attributes.
- Trusted Execution Environment (TEE) – The processor-based Trusted Execution Environment (TEE) provides a higher degree of attribute assurance, as all key management operations can be performed inside a TEE and no memory is shared with the host operating system. Example systems include Android Trusty2 and Samsung Knox3 that are built using ARM TrustZone4 security extensions.
- Security Coprocessor – A security-centric processor separate from the main processor provides an extra layer of security compared to TEE technologies. Example systems include Apple Secure Enclave5, and Google Titan M6. These security co-processors are device dependent and require platform-specific development, testing and support functions.
- Hardware Secure Element (SE) – A SE is a tamper-resistant platform capable of hosting applications and their cryptographic data in accordance with the rules and security requirements set by well-identified industry standards7. A SE can be general-purpose that supports multiple applications or application-specific supporting only a single application. Hardware security keys that are used to generate, store, and manage cryptographic keys for user identities can be implemented using a SE. Example hardware security keys include Yubikey8 and Google Titan Key9.
ZenKey integrates proven standards-based open authentication protocols, namely, OpenID Connect and Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA)10 to provide a multi-factor frictionless user identity solution. It provides high security assurance using a hybrid approach that extends the default mobile platform security with a network-based EAP-AKA attestation. With ZenKey, users do not need additional hardware-based security keys. Existing mobile devices with universally available SIM cards can provide similar security assurances. Furthermore, the network-based attestation can provide service providers with unique fraud signals. One of the fraud signals is SIM Tenure, which alerts the service provider to potential fraud from device SIM Swaps.
1 https://openid.net/connect/ 2 https://source.android.com/security/trusty 3 https://www.samsungknox.com/en 4 https://developer.arm.com/ip-products/security-ip/trustzone 5 https://support.apple.com/guide/security/secure-enclave-overview-sec59b0b31ff/web 6 https://security.googleblog.com/2018/10/building-titan-better-security-through.html 7 https://globalplatform.org/ 8 https://www.yubico.com/ 9 https://cloud.google.com/titan-security-key/ 10 https://tools.ietf.org/html/rfc4187