Samsung is the OEM that helps both the enterprise and the device user. The enterprise achieves stronger security and the device user enjoys improved convenience. The Samsung Pass solution is based on the following users and components:
See the following sections for more information about the Samsung Pass components.
Any enterprise partner that wants to give its users the option to authenticate through biometric measurements in place of traditional logins and passwords must embed the Samsung Pass APIs in their consumer-facing app. Once the enterprise app includes these APIs, Samsung considers it Samsung Pass enabled.
In addition, Samsung devices that support biometric measurements come with Samsung Knox and the Samsung Pass Authentication Framework. After the user downloads and installs the Samsung Pass enabled app developed by the enterprise, the mobile device has the following setup:
The Samsung Pass Authentication Framework is invisible to the device user and serves as the interface between a Samsung Pass enabled app and the other parts of Samsung Pass such as the Samsung Pass Cloud. This framework enables the device to securely handle the following procedures:
Calls between a FIDO client and server.
See A quick word about FIDO for more information.
Registering/Deregistering the user’s biometrics
Responding to remote wipe-commands
See the Samsung Knox web site for a thorough description of Knox and the ARM® TrustZone®.
The next component of Samsung Pass is the Samsung Pass Cloud account for enterprise partners.
Samsung devices that support biometric measurements make it easy for the device user to scan a fingerprint or scan an iris. However, the scan is only part of what is needed to achieve secure authentication. This is where the Samsung Pass Cloud helps.
Each enterprise that partners with Samsung has an account on the Samsung Pass Cloud. The purpose of the account is for an enterprise partner to register their Samsung Pass enabled app and share unique details about their app. Samsung Pass uses these details to authenticate the Samsung Pass enabled app after the user installs it and tries to authenticate their identity on their mobile device.
As the OEM, Samsung is in a better position to authenticate the state of the device and the Samsung Pass enabled app than a third-party enterprise. Samsung’s goal is to make sure an illegitimate or malicious app hasn’t replaced an enterprise partner’s legitimate Samsung Pass enabled app.
The next component of Samsung Pass is a Samsung account for every device user.
Every user with a Samsung mobile device that is capable of biometric authentication must register their Samsung account in order to use Samsung Pass. Without registering their account, Samsung Pass cannot authenticate the user’s device or the user’s identity.
A Samsung device displays this registration option when the user first turns on the device. Should the user skip this step during first boot, it is always possible for users to register later through an option in the Settings menu.
The design of Samsung Pass ensures that data privacy is protected and partner data is passed directly between partner servers and the partner’s Samsung Pass enabled app on the mobile device. Samsung has no visibility into the information exchanged between a user’s device and the enterprise partner’s servers.
The Samsung Pass Cloud and the Samsung Pass Authentication Framework only work with data knowingly provided by the enterprise partner. In fact, the Samsung Pass Cloud acts as a passive repository which is available for the enterprise partner’s servers to query.
The Samsung Pass Cloud never queries the enterprise servers for information.