Post Quantum Cryptography Readiness
The Mobile-First Authentication product supports post-quantum cryptography to protect mobile authentication and encrypted communication against future quantum computer attacks.
We adhere to the principle of so-called “Crypto-Agility”, whereby our solution enables us to easily integrate new algorithms and simply modify the server configuration to use them.
Post-Quantum Algorithms
Mobile-First Authentication uses:
- ML-KEM for post-quantum key encapsulation
- ML-DSA for post-quantum digital signatures
These algorithms are integrated in a hybrid model together with classical Elliptic Curve Cryptography (ECC) using curve P-384.
Mobile-First Authentication uses these algorithms for secure key exchange and cryptographic signing operations within the platform.
See the complete List of Used Algorithms.
Key Derivation and Key Types
As an outcome of the Activation process, a single long‑term shared secret is established between the PowerAuth Client and PowerAuth Server. System also incorporates short-term shared secret for protecting request and response payloads.
- Activation Shared Secret (long-term)
- Temporary Shared Secret (short-term)
The solution uses the concept of derived keys. Each derived key is computed using the KDF algorithm. Each key has exactly one purpose and all domains (authentication, encryption, utilities, vault) are strictly separated via dedicated KDKs.
- Authentication Factor Keys
- Encryption Keys
- Utility Keys
- Vault Keys
Vault contains Device Private Key and other derived keys. These keys allow applications to protect additional sensitive material that becomes available only after successful authentication.
See details for Key Derivation the complete List of Used Keys.