On January 16, 2016, the "Online & Offline Secure Authentication Application Workshop and SCA Annual Meeting," hosted by SCA and Shanghai Aohsmart Technology, was held at the Shanghai Radissonzd Hotel. The event was attended by nearly 40 organizations including the Third Institute of the Ministry of Public Security , China Telecommunication Technology Labs (CTTL), Linaro, Fast IDentity Online (FIDO) Alliance, security OS providers, security chip, smart card, smart device and smartphone manufacturers, third-party payment service providers, banks, as well as Chinese and International security certification agencies.

A wide range of online and offline security application scenarios were thoroughly discussed during the workshop. Experts from all sectors of the industry chain offered their opinions. The highlights are as follows:

■  Cyberspace needs legal regulation, but such regulation, especially on information security, is no longer a conventional security issue. It has a broader connotation.

■  Electronic Identity (eID) in China is loaded into smart chips, based on cryptographic technique. It is issued by the Citizen Online Identification System of China's Ministry of Public Security. eID enables online remote identity authentication without leaking personal information, so it can be widely used for online authentication.

■  eID in China is characterized by 3 elements: 1. It is issued by the Citizen Online Identification System of China's Ministry of Public Security; 2. It is cryptography and smart-chip based; 3. It is used for special purposes.

■ The collaboration between eID and its partners have the following advantages: 1. It mitigates issuance risks; 2. eID can be embedded into a bank card with e-banking service (in real name); 3. eID is key to Internet+ services; 4. eID helps enhance online service security.

■ The value of eID application collaboration lies in 1. secure and accurate identification technology; 2. non-repudiation of online messages endorsed by digital signature technology; 3. maximization of personal identity information and privacy protection.

■ eID can assist third-party payment companies to ensure user convenience while meeting the information integrity requirements posed by regulators.

■ The application of eID currently expended to cross-border e-commerce clearance, industrial and commercial administration digitalization, Internet + logistics, electronic signature for contracts, among other applications.

■ Apart from testing terminals based on Chinese standards, CTTL also provides international certifications of mobile terminals as it receives authorization from American and European agencies.

■ CCTL also conducts security tests for mobile payments, and evaluates biometrics, trusted terminals and chip security.

■ A complex password plus an additional smart device is an authentication method unpopular among users. On the other hand, user-friendly biometric methods that guarantee high security are needed badly.

■ Smartphones now account for 91.7% of all cell phones. As more and more Apps are used on smartphones, there is a greater need for identification and authentication. Since 2014, the percentage of smartphones with biometrics has increased year by year. Even some smartphones priced at RMB 1,000 are equipped with biometric models.

■ In addition to fingerprints, some Biometric smartphones also incorporate facial, voiceprint and iris recognition, among others.

■ The FIDO Alliance has precisely defined biometric identification and the local and remote server authentication processes, which are adopted by many organizations.

■ CTTL was authorized by GlobalPlatform last year to test products on GPTEE specifications based on the needs of Chinese manufacturers.

■ In 2016, CTTL will collaborate with SCA to give comprehensive training on GPTEE specifications, in hopes to share CTTL's experience and know-how with interested companies.

■ Without hardware, security is like "the moon on the water,” as without software support, even hardware-based security is challenged to deliver a good user experience. In short, the best solutions must be a combination of hardware and software.

■ By far, TEE has yet to achieve interoperability, which is an industry-wide challenge. It is speculated this situation will improve once a TEE standard comes out, so concerted efforts are needed by all sectors throughout the industry to achieve this.

■ Linaro can reduce fragmentation generated by different ecosystems meeting different demands for TEE of various users, so Linaro will assist SoC manufacturers and OEMs to address these different demands.

■ The problems associated with TEE are as follows: 1. both secure and non-secure areas have their own OS, each of which needs to develop a kernel driver, middle ware and upper-level application, as well as an integral test framework and test case for verification; 2. It is difficult to design because developers need to consider the interrupt handler in both user and kernel space, isolation of two environments in memory, message channel building, code downsizing, performance optimization (e.g. memory share), power management, among others. 3. It takes large amounts of manpower and time to produce a TEE product.

In 2016, SCA will continue to collaborate with different organizations in the industry and hold discussions on the applications of secure communications and secure identification and authentication in a wide range of fields, facilitating cross-sector communication throughout the industry. Meanwhile, SCA will offer new services in 2016, including a customized training platform that improves products and services for companies and an omni-channel digital media marketing platform for companies to promote proven products. Any interested organization is welcome to contact us and become our partner.