YinkoShield
Brief

knowledge center / theme 01

the unobserved interval

The runtime stretch between credential authentication and execution submission.

Minutes long in some flows, seconds in others, never short enough to dismiss. This theme maps the interval as it appears under each major checkpoint architecture: Play Integrity, FIDO2, EMV, behavioural biometrics, PSD2 SCA. Each article describes one gap precisely, cites the standard that defines it, and shows what runs in it without being signed.

5 articles · technical reference · cite as published

where it sits

The unobserved interval is the architectural property the Execution Evidence Infrastructure exists to address. The category page /eei defines the layer. The architectural primitive is documented at /architecture/runtime-coherence. This theme covers the diagnostic side: what the interval looks like under the standards a security architect already knows. For the existing checkpoint substrates themselves, see the upcoming Checkpoint architectures theme.

articles in this theme

type
depth
audience
  1. 01 · 2025·09
    explainer intermediate security architect

    Play Integrity verdict freshness and the inter-call gap

    What happens between successive Play Integrity calls, how long a verdict is valid, what the operator can and cannot rely on between calls.

    READ →
  2. 02 · 2025·09
    explainer intermediate security developer

    FIDO2 assertion versus transaction submission

    The WebAuthn assertion signs the challenge, not the transaction body. The gap from challenge completion to settlement message is unsigned by FIDO2.

    READ →
  3. 03 · 2025·10
    explainer intermediate security regulatory

    EMV credential generation versus device-side execution

    The rail signs the credential. Nothing in EMV signs what the device did to produce the inputs to that credential.

    READ →
  4. 04 · 2025·10
    explainer intermediate security architect

    Behavioural-biometrics session windows and transaction boundaries

    Behavioural scores compute over a session window. The transaction event may sit inside or outside that window — the score does not bind to the transaction.

    READ →
  5. 05 · 2025·10
    explainer intermediate regulatory architect

    PSD2 SCA challenge completion versus settlement message generation

    PSD2 RTS specifies challenge completion. It does not specify what happens between completion and the settlement message — that is operator-defined and not signed by the SCA mechanism itself.

    READ →
external references — cited across this theme
  1. Google. Play Integrity API — Overview. developer.android.com/google/play/integrity/overview
  2. W3C. Web Authentication: An API for accessing Public Key Credentials, Level 2. w3.org/TR/webauthn-2/
  3. EMVCo. EMV Integrated Circuit Card Specifications for Payment Systems — Book 2 (Security & Key Management). v4.4.
  4. European Banking Authority. Commission Delegated Regulation (EU) 2018/389 — Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Open Standards of Communication. eur-lex.europa.eu/eli/reg_del/2018/389/oj
  5. European Banking Authority. Single Rulebook Q&A — Strong Customer Authentication. Ongoing. eba.europa.eu/single-rule-book-qa
← back to Knowledge Center /eei — what Execution Evidence Infrastructure is →