Leveraging FIDO to enhance security and user experience
JANUARY 28, 2019
Growing Need for
Higher Security, Better
Experience, Lower Cost
There is a growing need these days for easy mobile-based authentication services in various industries such as finance, public, insurance, and education. TuringSign FIDO® produced by Turing Crypto Gmbh (Berlin, Germany) and CrossCert Inc. (Seoul, South Korea), helps to meet this demand by providing a FIDO-based biometric authentication service. Additionally, TuringSign FIDO® provides an acсredited certificate service that leverage FIDO technology (K-FIDO) for user-friendly digital signing in Korea.
There are 65 million subscribers who use mobile banking services in Korea- most of whom use password-based authentication. In addition, there are 37 million people who have been issued accredited certificates in Korea. For account transfers, subscribers generate digital signatures of transaction through an accredited certificate and verify it in their bank for user authentication, integrity and non-repudiation.
Like many consumers around the world, Korean mobile banking subscribers who have to remember their unique password feel uncomfortable for many reasons. Firstly, inputting a password in mobile device is very difficult and time consuming. Secondly, passwords are highly susceptibile to theft and misuse such as for account hijacking. Lastly, many Koreans feel uncomfortable using passwords when they use an accredited certificate based on National PKI(NPK) for digital signing.
Hence, many banks in Korea have sought to implement easy and secure user authentication technology in their online mobile banking service for subscribers, with biometric authentication approaches being a preferred model. However, many banks have hesitated to implement biometric autentication systems that rely upon server-side storage and matching of biometric templates as they present a risk to subscribers of having biometric credentials stolen – which unlike passwords cannot be changed.
Kookmin Bank (or KB) is Korea’s leading bank in total assets (2018) and National Customer Satisfaction Index (NCSI) (2017). KB has provided a mobile banking service named ‘KBStar Banking’ which supports a variety of authentication mechanisms, but almost all of the subscribers have used password-based authentication and accredited certification in NPKI. Accredited certification is commonly used for digital signing for account transfer and loan applications.
Kookmin Bank has been seeking simpler, stronger authentication for their mobile service due to the fact that many subscribers have expressed displeasure and discomfort with the password-based approach. KB has also needed a solution for accredited certification in NPKI that does not require passwords for funds transfer, loan applications or similar services.
In November of 2016, TuringSign implemented TuringSign FIDO® FIDO client and authenticator which supports fingerprint, iris and voice biometric authentication in the KBStar mobile banking app. TuringSign FIDO® server in CrossCert’s global secure datacenter has passed ISMS and Web Trust Audit, and it has connected and operated a relying server in Kookmin Bank.
KB and TuringSign have also provided subscribers with K-FIDO based authentication and digital signing – which eliminates the need for passwords for loan apllications, account transfer and similar services. The result is that subscribers no longer need to remember and input a password.
There are now approximately 3.5 million subscribers who are leveraging simpler, stronger FIDO-based authentication across various KBStar mobile banking apps (KBStar banking, KBStar Mini, Liiv, KB Real Estate, KBStar alarm, KB my money, Liiv TTok TTok). In total there are 16 million FIDO transactions per month and there have been over 260 million total FIDO transactions since the launch of services (as of October 2018).
Many Korean banks including KB have implemented FIDO authentication in their mobile banking apps to provide their subscribers with stronger and more user-friendly authentication. The positive user experiences in banking have set the stage of similar adoption in other industries e.g., insurance, education and government services.
Note: The official case study was published with the old brand name.
Get in touch with a TuringSign FIDO security expert to secure your online – and mobile applications
Another way of verifying a domain is DNS (TXT record) Verification. If you selected DNS Authentication as your verification method, you will receive a unique TXT record via email consisting of two parts:
Verify by adding a TXT record in your DNS. Please verify and check if you have added the correct record
Please submit a requestfor support if you face any issues.
Depending on your DNS provider, You may have to wait for at least an hour for the changes to take effect in the DNS Servers. You will be notified via email when the domain is verified.
The third method of verifying a domain is HTTP File Upload Verification. After choosing File Authentication as your verification method, you will receive an email and be asked to download a unique verification file (Format: .txt) and upload it to a specific directory on your web server.
Verify by uploading the attached file fileauth.txt in your web server as follows:
You may have to wait for at least an hour for the changes to take effect in the validation services. You will be notified via email when the domain is verified.
Please submit a request for support if you face any issues.