13_CA Day - How Google approaches eID.pdf

1、And StrongBox,where security discussion on Android convergesHow Google Approaches eIDSep 25,2025Proprietary and ConfidentialVictor HsiehAndroid Platform SecurityMain focus on enabling high assurance use cases on AndroidProprietary and ConfidentialTable of contentsHow is Google helping01StrongBox,the

2、 Android solution02StrongBox as local internal QSCD03Proprietary and ConfidentialHow is Google Helping users,wallet providers,OEMs,issuers,etc.Proprietary and Confidential Different teams in different areas,e.g.Google Wallet,Android,Pixel,Chrome,etc.Learn from other teams perspectives To reach the c

3、ommon end goal,a solution needs to be scalable Interoperability is critical in multiple layers,from app to secure hardware.Cross-functionalContributing in the eID ecosystemOpen Source ContributionMultipaz library,now part of OpenWallet Foundation,is used by many wallet providers&issuers.It even work

4、s on iOS.Longfellow ZK is implemented by cryptographers and made easy for everyone to use to solve privacy problems.StandardizationParticipating in standard discussion,e.g.ISO/IEC 18013-5 mdoc OpenID4VCI,OpenID4VP W3C Identity Credentials API ETSI ESI specs GlobalPlatform CSP etc.A Platform That Sup

5、ports EveryoneProprietary and ConfidentialAndroid PerspectiveAndroid Operating SystemAndroid OEMAndroid OEMAndroid OEMAndroid OEMGoogle PixelPublic WalletPrivate WalletPublic WalletPrivate WalletGoogle WalletProprietary and ConfidentialStrongBoxThe Android solution(that works across OEMs)Proprietary

6、 and ConfidentialPID/QEAA on deviceLocal PID/QEAA solution is good forPrivacy:Between holder and verifierPerformance:Avoid network latency/cellular signal degradationOffline:Works anywhere you areCost:Marginal to phone;no need for a 24/7 cloud serviceThe question is how to meet LoA High in a scalabl