There is a growing need these days for easy mobile-based authentication services in various industries such as finance, public, insurance, and education. CrossCertFIDO® produced by CrossCert in Korea helps meet this demand by providing a FIDO-based biometric authentication service. Additionally, CrossCertFIDO® provides an accredited certificate service that leverage FIDO technology (K-FIDO) for user-friendly digital signing in Korea.

Challenge:

There are 65 million subscribers who use mobile banking services in Korea – most of whom use password-based authentication. Also, there are 37 million people who have been issued accredited certificates in Korea. For account transfers, subscribers generate digital signatures of transaction through an accredited certificate and verify it in their bank for user authentication, integrity and non-repudiation

Like many consumers around the world, Korean mobile banking subscribers who must remember their unique password feel uncomfortable for many reasons.  This includes the fact that inputting a password in mobile device is very difficult and time consuming – and also because passwords are highly susceptible to theft and misuse (such as for account hijacking). Additionally, many Koreans feel uncomfortable using passwords when they use an accredited certificate based on National PKI(NPKI) for digital signing.

As a result, many banks in Korea have sought to implement easy and secure user authentication technology in their online mobile banking service for subscribers, with biometric authentication approaches being a preferred model. However, many banks have hesitated to implement biometric authentication systems that rely upon server-side storage and matching of biometric templates as they present a risk to subscribers of having biometric credentials stolen – which unlike passwords cannot be changed.

Case Study: Kookmin Bank

Kookmin Bank (or KB) is Korea’s leading bank in total assets (2018) and National Customer Satisfaction Index (NCSI) (2017). KB has provided a mobile banking service named ‘KBStar Banking’ since 2003. KBStar Banking supports a variety of authentication mechanisms, but almost subscribers have used password-based authentication and accredited certification in NPKI. Accredited certification has especially been used for digital signing for account transfers and loan applications.

Kookmin Bank has been seeking simpler, stronger authentication for their mobile service due to the fact that many subscribers have expressed displeasure and discomfort with the password-based approach. KB has also needed a solution for accredited certification in NPKI that does not require a password at account transfer or loan application or similar services.

In November of 2016, CrossCert implemented the CrossCertFIDO® FIDO client and authenticator which supports fingerprint, iris and voice biometric authentication in the KBStar mobile banking app. CrossCert also set up the CrossCertFIDO® server in CrossCert’s global secure datacenter which has passed ISMS and Web Trust Audit, and it has connected and operated a relying server in Kookmin Bank.

KB and CrossCert have also provided subscribers with K-FIDO based authentication and digital signing – which eliminates the need for passwords for loan applications, account transfers and similar services. The net outcome is that subscribers no longer need to remember and input a password.

The Result:

There are now about 3.5 million subscribers who are leveraging simpler, stronger FIDO-based authentication across various KBStar mobile banking apps (KBStar banking, KBStar Mini, Liiv, KB Real Estate, KBStar alarm, KB my money, Liiv TTok TTok). In total there are 16 million FIDO transactions per month and there have been over 260 million total FIDO transactions since the launch of the services (as of October 2018).

Many Korean banks (in addition to KB) have implemented FIDO  authentication in their mobile banking apps to provide their subscribers with stronger and more user-friendly authentication. The positive user experiences in banking have set the stage for similar adoption in other industries – e.g., insurance, education and government services.


More

Google Case Study

From Google’s perspective, defending against phishing is the key to securing employees’ and customers’ accounts.…

Read More →

White Paper: FIDO UAF and PKI in Asia – Case Study and Recommendations

This paper depicts three possible scenarios for integrating FIDO UAF and PKI in Asian countries,…

Read More →