Secure Digital Signing with Mobile PKI
Allow users to sign documents, transactions and perform all high-trust use cases directly from their own mobile devices without compromising security.
Does Digital Signing Mean Making a Choice Between Usability or Security?
Public-key infrastructure (PKI) allows users to sign transactions, documents, and perform high-trust operations. Keeping private signing keys secure is essential, as a compromised private key collapses the entire security model. So how is it possible to secure X.509 certificates and protect private keys when the devices that perform signing operations are inherently insecure and exist outside the boundaries of the organization?
Storing Keys on External, Dedicated Hardware is Bad UX for Mobile
Carrying dedicated external hardware is frustrating to end-users, who may have multiple devices for multiple services
Provisioning and shipping external devices is not scalable, often costly and inefficient for procurement teams
Mobile devices such as smartphones are incompatible with USB tokens and smartcards, thus making making PKI on mobile impossible in some cases
...but Storing Keys on Endpoints is Bad Security
Mobile devices are inherently insecure, as they allow for potentially malicious software to be installed
Storing keys on insecure devices means keys can be lifted off and compromised remotely
Using manufacturer embedded hardware, e.g. secure elements, if possible at all, means developing apps per device which isn’t infeasible in a fragmented device landscape
Enable Digital Signing from Any End-User Mobile Device
Unbound Crypto-of-Things (CoT) allows secure digital signing without requiring trusted storage on the end-user’s device OR on external, dedicated hardware. A unified, single API is used to deploy a virtual secure enclave across all devices to protect crypto keys at the application level. Unbound’s vHSM technology enables signatures to be created without actually having the private key on the device, thus ensuring keys cannot be compromised, cloned or tampered even if the device is infected by malware or physically controlled by an adversary.
This software-only solution gives users a comfortable, transparent method to sign transactions from their own devices. Now they only need to approve a push request – without carrying any external hardware device.
Secure & Easy
No hardware tokens and smart cards – same level of trust, just without the hassle
Any App. Any Device
Integrates directly into the app and deployed on any desktop, mobile or laptop
Elastic and Scalable
Infinitely scalable to support any number of devices
Centralized management and tamper-proof, real-time auditing on any digital signing operation
If needed, revoke the key immediately on the central management server
See how it works:
In the diagram below, Unbound CoT enables secure digital signing with mobile PKI
Unbound CoT integrates with PKI applications, enabling secure digital signing from mobile devices without requiring any additional hardware. The signing can be done for transactions initiated on the mobile device, or alternatively the mobile device can be used as a second factor to transactions initiated on a desktop application / website.
Step 1: User approves the transaction request on mobile device, optionally using authentication methods such as PIN/password/device native biometrics.
Step 2: The mobile app signs the transaction with the CoT server.
Get an in-depth explanation of how Unbound uses MPC, a mathematically proven method to secure keys on any device.
How to Go Beyond BYOK with CYOK
Control Your Own Keys in the Cloud (CYOK) can ensure your sensitive assets remain secure even in the event of a breach.
Unbound Key Control
Learn how Unbound Key Control, the first secure-as-hardware key management system can protect your crypto keys anywhere.