FIDO biometrics and financial technology, expand the application scenarios of financial technology!

The FSC will implement biometric authentication to identify identities and introduce FIDO standards, which will be on the road as soon as Q4, which will expand the application scenarios of financial technology. What problem does FIDO solve? Why can FIDO expand fintech application scenarios?

How can I identify myself? Three Routes to Identity Confirmation

The three factors of cryptographic authentication are

something you know: something the user knows, such as a password.

something you have: an item held by the user, such as sending a text message to the user's mobile phone to confirm that the logged-in person is the user. The most common is OTP SMS. After entering the account password, the SMS or authentication code is issued to the mobile phone or mailbox. It is confirmed that the user owns the items held by the user in addition to knowing the password. (Many identity verification procedures for online credit card swipes follow this route.)

something you are: User characteristics, such as personal biometric identification, fingerprint, face, iris, finger vein and other identification methods.

What is FIDO?

FIDO's full name is "Fast Identity Online", which is to authenticate the identity through personal hardware devices, and then use various websites and mobile services.

For example, when using apple pay for online payment and swiping the card, only fingerprint recognition or facial recognition can be used to swipe the card, and there is no need to perform the traditional OTP SMS as an identity authentication procedure.

What's so good about this?

Provides authentication services that are more secure and stable than personal passwords.

In the past, personal identification information such as personal account passwords was stored in the server. If the server was attacked, the personal identification information would flow out. Or some unscrupulous groups use phishing websites such as fake websites to defraud individuals' identity authentication information, so as to obtain personal authentication information and then steal property.

For example, making a fake OO Bank website or app, tricking consumers into entering their online banking user ID, password and other information, and then transferring their money.

However, if the FIDO mode is adopted, the authentication is completed on the personal hardware device, and only information such as completion is sent to the central server, and the personal fingerprint or facial recognition details will not be sent to the central server. In this way, the central server does not need to keep personal identification information, and there is no need to worry about attacking the server, causing the information to flow out or being attacked by phishing websites.

Expanding the application scenarios of fintech

For example, the current digital account of the bank has an upper limit such as fund transfer (refer to the " Operation Template for Banks Accepting Customers to Open a Digital Deposit Account through the Internet "), because it is currently difficult to confirm the identity of the person through remote technology. The difficulties include that the anti-counterfeiting label of the Taiwan ID card currently needs to be irradiated by ultraviolet rays to be effective, and it is difficult to confirm the authenticity of the ID card photo uploaded by the individual. Therefore, in the absence of complete procedures for visiting the counter with dual certificates in person, the authority obtained by the digital account is less than that of the physical account. This is the result of weighing the two factors of "digital bank account service promotion" and "personal identity verification security" to avoid excessive risk.

If the reliability of identity verification can be extended through FIDO and other methods and personal data will not be leaked out, the same effect as visiting the counter or doing it in person will be achieved.

In addition, in the FSC's press release, its purpose includes "providing cross-agency identification functions", so in the future, when providing information on salary income of credit card issuers or relevant financial proof of loan banks, it should be completed in one stop.

＊The Fido Alliance has more than 250 members, including financial institutions (paypal), technology companies (Apple, googla, Microsoft), etc., to promote the new open standard without passwords.

Reference source:
Three elements of cryptography: https://dis-blog.thalesgroup.com/security/2011/09/05/three-factor-authentication-something-you-know-something-you-have-something-you-are/
FSC Press Release: https://www.fsc.gov.tw/ch/home.jsp?id=2&parentpath=0&mcustomize=news_view.jsp&dataserno=202106150002&dtable=News

Original link: Kai's Lawlawland