Based on Public Key Cryptography
IDEE leverages public key cryptography (PKC) to assure user/device authenticity, integrity and identity coupled with non-repudiation. This ensures that only IDEE authorized devices could communicate with IDEE Authentication Services (IAS) via a secure authenticated channel that is achieved with transport layer security (TLS) mutual authentication.
Challenge-response authentication protocol based on PKC is used to eliminate the security issues associated with symmetric cryptography where the secret keys are shared with the identity provider to be able to validate a transaction. With PKC, IAS doesn’t share or have access to any user authentication credentials. All the user authentication attributes (such as private signing keys) are generated and stored securely on the user’s device secure enclave (or secure element). These keys are not accessible to IAS, not even at recovery. In an event of a breach, no user data will be at risk. Therefore, IDEE is verifier compromise resistant as defined in NIST SP 800-63B digital identity guidelines.