Page Summary
-
Users must have an Android device with SDK 24+, an active Google Account, device lock enabled, and no existing DC, along with a physical identity document.
-
Only one DC can be registered per Google Account and device pair, but multiple DCs can be registered to the same Google Account across different devices.
-
Connections between Google and Issuer servers require both parties to present keys during TLS handshakes and must not use
NULLor anon ciphers. -
All Issuers must use mTLS when communicating with Google servers, with Google presenting a client certificate for Issuers to pin and validate.
-
Issuers communicating with Google servers must present a client certificate which Google will validate, but they aren't required to pin Google's server certificate.
User prerequisites
- An Android-powered device with:
- Android SDK 28+
- An active Google Account
- Device lock enabled
- No existing VDC
- A physical identity document
Connection security
Connections between Google and Issuer servers must adhere to the following requirements:
- Both Google and Issuers must present keys during TLS handshakes
- Servers must not offer
NULLor anon ciphers during TLS handshakes - Connections must support one of the following ciphers
ECDHE-ECDSA-WITH-AES-128-GCM-SHA256ECDHE-ECDSA-WITH-AES-256-GCM-SHA384ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256ECDHE-RSA-WITH-AES-128-GCM-SHA256ECDHE-RSA-WITH-AES-256-GCM-SHA384ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256
- All Issuers are required to use mTLS when communicating with Google servers.
Google to Issuer communication
When Google communicates to Issuer servers, Google will present a client certificate. Issuers are responsible for pinning and validating this certificate. Google will then validate a pinned server certificate against what is presented by the Issuer.
Issuer to Google communication
When Issuers communicate to Google servers using the Google Wallet Identity APIs, they must present a client certificate. Google will validate this against a pinned certificate.