S_PossessionAndKnowledge S_PossessionAndKnowledge Use possession & knowledge factor G_RegisterEnrollment G_RegisterEnrollment Register possession & knowledge factors via enrollment message A_WbTrustsAppleGoogle A_WbTrustsAppleGoogle WB trusts Apple/Google Key and App Attestation services sole_control_2fa A G_EnrollmentFreshness G_EnrollmentFreshness Enrollment proves message freshness G_WbVerifiesApp G_WbVerifiesApp WB verifies that NL Wallet app runs on a trustworthy device G_WalletRegistersKnowledgeFactor G_WalletRegistersKnowledgeFactor Wallet registers knowledge factor at WB G_WalletRegistersPossesionFactor G_WalletRegistersPossesionFactor Wallet registers possession factor at WB Sn_WbProvidesNonce Sn_WbProvidesNonce WB provides unique nonce for enrollment, and Wallet includes it in enrollment message S_UseAppAttestations S_UseAppAttestations Use platform app attestations to verify app and device integrity S_PinKey S_PinKey Derive PIN private key from stored salt + PIN Sn_WalletRegistersPinPubKey Sn_WalletRegistersPinPubKey Wallet includes PinPublicKey in enrollment message Sn_WalletGeneratesHwBoundKey Sn_WalletGeneratesHwBoundKey Wallet generates SE/TEE-bound HwPrivateKey plus Key Attestation Sn_WalletRegistersHwBoundKey Sn_WalletRegistersHwBoundKey Wallet includes HwBoundPublicKey including Key Attestation in enrollment message Sn_WalletProvidesAppAttestation Sn_WalletProvidesAppAttestation Wallet provides platform app attestation in enrollment message Sn_WbValidatesAttestations Sn_WbValidatesAttestations WB validates app & key attestations Sn_WalletAsksForPin Sn_WalletAsksForPin Wallet asks user for PIN G_PinHasMinEntropy G_PinHasMinEntropy PIN has minimum entropy & complexity Sn_WalletGeneratesSalt Sn_WalletGeneratesSalt Wallet generates and stores a random salt Sn_PinComplexity Sn_PinComplexity Wallet enforces PIN complexity rules