We’ve updated our market-leading decentralized identity (DI) mobile wallet SDK to secure mobile credentials with hardware security modules (HSMs), as required under European Union Digital Identity (EUDI) regulations.
As a refresher, our mobile wallet SDK lets our customers easily integrate DI and verifiable credential (or reusable credential) solutions into their applications. It is a native SDK for both iOS and Android and notably does not rely on any third-party frameworks such as JavaScript frameworks.
Our 3.0 release of the mobile wallet SDK primarily brought in European Union Digital Identity (EUDI)-aligned standards, such as OpenID4VC (OpenID4VCI and OpenID4VP) and IETF SD-JWT VCs. Our 3.1 release bundled in new support for resolving three DID methods that are gaining mass adoption: cheqd, Web, and JWK. And now our 3.2 release takes this a step further, allowing our SDK consumers to use HSMs, such as those built into modern mobile phones, for securing verifiable credentials (VCs) as required by EUDI regulations.
EUDI requires mobile wallets to secure credentials with HSMs
The cryptographic keys that a user owns can bind the VCs stored in the DI wallet to the user (commonly called holder or device binding). The presentation of the VCs is secured by a cryptographically verifiable signature that the same key bound to the VCs produces. This mechanism gives verifiers certainty that only the key holder can present the VCs.
Obviously then, it is critical to protect the cryptographic keys and so the EUDI has pushed for highly sensitive VCs (such as government IDs) to be secured by keys managed by an adequate HSM rather than mechanisms such as “software keys”, where in-app software manages the keys but lacks the same security assurances.
Version 3.2 of Anonyome Labs’ mobile wallet SDK makes it simple to secure credentials with HSMs
We have updated our SDK so that the keys used to bind the W3C VCDM and IETF SD-JWT VCs that it receives can now be easily configured to use the embedded HSM on the mobile device running the wallet.
Using either Android Strongbox or iOS SecureEnclave, the HSMs supported in the EUDIW ARF documentation, our SDK isolates the cryptographic keys from the rest of the device and makes them non-exportable. In this way, we achieve the high level of security the EUDI regulations now demand.
In other news, we’ve also designed the SDK so that consumers can “BYO cryptography provider”. This is particularly exciting because it allows consumers to develop custom cryptography providers to fit their use cases. For instance, remote cloud-based HSMs are a popular option in EUDI developments, and “local external” HSMs, such as the YubiKey, offer exciting opportunities that we’ve also been experimenting with and we’ll make an announcement about soon!
