Most businesses today have an online presence, necessitating rigorous security measures to protect their confidential information and assets. For example, banks, brokerages and other financial institutions generally permit their customers to engage in online financial transactions. For merchant retailers, online sales transactions account for an ever-increasing percentage of overall sales, and some merchants operate entirely online with no physical stores in existence. Professional firms such as law or engineering firms, corporations in all areas of business, and governmental organizations often grant their employees online access to internal trade secrets, private customer information and other highly confidential and valuable internal information. However, the ever-increasing popularity of these various types of online transactions has given rise to a corresponding increase in online fraud by hackers and other criminals, resulting in an ever-increasing need for greater online security.
One of the limiting factors affecting the security and authenticity of a requested transaction relates to the operating conditions of the entity requesting the transaction. Ideally, the trust accorded to an entity should be carefully metered based on knowledge of attributes of that entity (e.g., security capabilities, exploitability, coercibility, etc.). Unfortunately, software-only based solutions cannot by themselves form a reliable basis for a system to provide the desired property of non-repudiation for the transaction. That is why it is a common requirement that tamper-resistant hardware, e.g., a trusted computing module or a one-time password (OTP) token, participate in a transaction to warrant a higher level of assurance and to provide non-repudiation to the transaction.
There are practical difficulties with the use of tamper-resistant hardware. For example, not all modern devices are released with tamper-resistant hardware, due to economical and pragmatic reasons, and small Internet-of-Things (IoT) devices are typically among the least-endowed. Access to the tamper-resistant hardware might be limited by vendors or regulators, or might be otherwise unavailable. Alternatively, access to the tamper-resistant hardware might be inconvenient or expensive.
Fortunately, it is likely that an individual already owns a device which is equipped with some type of tamper-resistant hardware, such as one of the following examples:                a phone with a sim card;        a phone with a secure element (e.g., iOS or Intel SGX) or hardware based isolation (e.g., Samsung and KNOX);        a laptop with a Trusted Platform Module (TPM); or        a wearable device with a secure element (e.g., Apple Watch).        
Even when the desired access to tamper-resistant hardware is available on a given device, it might not be the device preferred for the contemplated action. For instance, a smartphone with a secure element in the sim card might be the most secure way to access an online service, but a user may prefer to use a tablet with a bigger screen for that action, even though it lacks the required security features. Today, in such a scenario, users will typically make a tradeoff that compromises security in favor of usability and convenience.