The Samsung Pass solution

Samsung is the OEM that helps both the enterprise and the device user. The enterprise achieves stronger security and the device user enjoys improved convenience. The Samsung Pass solution is based on the following users and components:

The device user
The device user

The device user is an essential participant in the Samsung Pass process. Look for this device-user icon to find the device user’s tasks during the preparation and use of Samsung Pass.

The developer
The developer

The Samsung Pass software and our enterprise-partner’s customer facing app need to interface and cooperate. Look for this developer icon to find the developer’s tasks during the Samsung Pass process.

The Samsung Pass SDK
The Samsung Pass SDK

Developers working for our enterprise partners can embed the Samsung Pass API into their consumer-facing app in order to allow biometric authentication from a mobile device in place of a traditional login and password.

The Samsung Pass Cloud
The Samsung Pass Cloud

This facility provides identity verification between the enterprise and the Samsung Pass enabled app which is installed on the user’s device. Verification occurs without Samsung gaining access to the enterprise data.

A Samsung account
A Samsung account

Every user that wishes to use the biometric authentication features of their mobile device with Samsung Pass must register their Samsung account. There are Samsung accounts for all users. Once the user registers, it is possible to securely associate the user with their specific device.

Industry-leading mobile devices
Industry-leading mobile devices

The newest Samsung devices support biometric measurements to facilitate fingerprint authentication and iris recognition. These devices also include the Samsung Pass Authentication Framework which serves as the interface between an enterprise partner’s Samsung Pass enabled app and Samsung Pass.

See the following sections for more information about the Samsung Pass components.

An SDK for building a Samsung Pass enabled app

Any enterprise partner that wants to give its users the option to authenticate through biometric measurements in place of traditional logins and passwords must embed the Samsung Pass APIs in their consumer-facing app. Once the enterprise app includes these APIs, Samsung considers it Samsung Pass enabled.

Any enterprise partner that wants to give its users the option to authenticate through biometric measurements in place of traditional logins and passwords must embed the Samsung Pass APIs in their consumer-facing app. Once the enterprise app includes these APIs, Samsung considers it Samsung Pass enabled.

In addition, Samsung devices that support biometric measurements come with Samsung Knox and the Samsung Pass Authentication Framework. After the user downloads and installs the Samsung Pass enabled app developed by the enterprise, the mobile device has the following setup:

In addition, Samsung devices that support biometric measurements come with Samsung Knox and the Samsung Pass Authentication Framework. After the user downloads and installs the Samsung Pass enabled app developed by the enterprise, the mobile device has the following setup:

The Samsung Pass Authentication Framework is invisible to the device user and serves as the interface between a Samsung Pass enabled app and the other parts of Samsung Pass such as the Samsung Pass Cloud. This framework enables the device to securely handle the following procedures:

  • Calls between a FIDO client and server.
    See A quick word about FIDO for more information.

  • Registering/Deregistering the user’s biometrics

  • Responding to remote wipe-commands

  • Transaction management

  • TrustZone management

    Note

    See the Samsung Knox web site for a thorough description of Knox and the ARM® TrustZone®.

The next component of Samsung Pass is the Samsung Pass Cloud account for enterprise partners.

A Samsung Pass Cloud account for every enterprise partner

Samsung devices that support biometric measurements make it easy for the device user to scan a fingerprint or scan an iris. However, the scan is only part of what is needed to achieve secure authentication. This is where the Samsung Pass Cloud helps.

Samsung devices that support biometric measurements make it easy for the device user to scan a fingerprint or scan an iris. However, the scan is only part of what is needed to achieve secure authentication. This is where the Samsung Pass Cloud helps.

Each enterprise that partners with Samsung has an account on the Samsung Pass Cloud. The purpose of the account is for an enterprise partner to register their Samsung Pass enabled app and share unique details about their app. Samsung Pass uses these details to authenticate the Samsung Pass enabled app after the user installs it and tries to authenticate their identity on their mobile device.

As the OEM, Samsung is in a better position to authenticate the state of the device and the Samsung Pass enabled app than a third-party enterprise. Samsung’s goal is to make sure an illegitimate or malicious app hasn’t replaced an enterprise partner’s legitimate Samsung Pass enabled app.

The next component of Samsung Pass is a Samsung account for every device user.

A Samsung account for every user

Every user with a Samsung mobile device that is capable of biometric authentication must register their Samsung account in order to use Samsung Pass. Without registering their account, Samsung Pass cannot authenticate the user’s device or the user’s identity.

Every user with a Samsung mobile device that is capable of biometric authentication must register their Samsung account in order to use Samsung Pass. Without registering their account, Samsung Pass cannot authenticate the user’s device or the user’s identity.

A Samsung device displays this registration option when the user first turns on the device. Should the user skip this step during first boot, it is always possible for users to register later through an option in the Settings menu.

What about data privacy?

The design of Samsung Pass ensures that data privacy is protected and partner data is passed directly between partner servers and the partner’s Samsung Pass enabled app on the mobile device. Samsung has no visibility into the information exchanged between a user’s device and the enterprise partner’s servers.

The Samsung Pass Cloud and the Samsung Pass Authentication Framework only work with data knowingly provided by the enterprise partner. In fact, the Samsung Pass Cloud acts as a passive repository which is available for the enterprise partner’s servers to query.

The Samsung Pass Cloud never queries the enterprise servers for information.