Mobile platforms or connected devices such as smart phones, personal computers, tablet PCs are integrating a secure element to authenticate the platform, to protect user credentials or to secure transactions. The secure element is typically a highly tamper resistant device that provides a secure execution environment isolated from the host processor. The secure element may be integrated into various form factors such as, for example, SIM cards, SD cards, or small outline packages attached directly on the printed circuit board (embedded secure element) and is especially useful for payment applications such as bank cards, mobile wallets and the like.
A payment transaction often requires the authentication of the user to either activate the application or to validate the transaction. A payment transaction is usually performed on a secure terminal with trusted user interfaces (i.e. secure display and keypad) for added security. In the typical mobile handset type architecture, a user enters their PIN code or activates the confirmation button located directly on the handset keypad. The entry of the PIN code or the activation of the confirmation button is typically handled by the host processor which operates in a non-secure and open environment. Because mobile handsets are typically connected to a network, the handsets can be infected by malware that can operate to intercept the entered PIN code or cause an invalid transaction to be confirmed.
Typical transaction validation involves two factors: 1) the application needs to be assured that only the user can validate the transaction; 2) the user needs to be assured that only the transaction the user accepts is completed. However, requiring entry of a PIN code to validate each transaction may be seen as user unfriendly and not very secure as the more times a PIN code is entered the greater the chance of it being observed and stolen.