Joon Hyuk Lee – APAC Market Development Director, FIDO Alliance
Welcome
As we usher in the participants of Authenticate 2023, we aim to provide a snapshot of various corners of the globe. Today, we’re privileged to bring together our esteemed members—industry luminaries from Thailand, Taiwan, Vietnam, Mainland China, Korea and Japan. Together, we’ll navigate the present landscape, confronting the challenges and celebrating the opportunities inherent in adopting phishing-resistant authentication methods across APAC.
Introducing Our Experts:
Khanit Phaton, Thailand: Senior Management Officer at ETDA
Karen Chang, Taiwan: VP at Egis Technology / Chair of FIDO Taiwan Forum
Simon Trac Do, Vietnam: CEO & Founder at VinCSS
Henry Chai, Mainland China: CEO at Uni-ID Technology, Lenovo / Co-Chair of FCWG
Jaebeom Kim, South Korea: Principal Researcher at TTA / Sub-Group Leader of FKWG
Masao Kubo, Japan: Manager, Product Design Department at NTT DOCOMO
Crafting an inclusive approach to online authentication in Thailand
Joon: Given Thailand’s rich diversity in many aspects, how does this influence the approach to and adoption of new online authentication systems for its citizens?
Khanit: As online services have become primary channels and gained popularity among the Thai population, coupled with the increasing number of cybersecurity threats, it’s crucial for both the public and private sectors to address this issue. Secure authentication is a key consideration. Given our diversity in aspects like culture and socioeconomic status, it’s essential to adopt an approach that’s inclusive and accessible for all. We’re exploring various methods for authentication; for instance, the Thai government’s introduction of the ThaID digital ID system, which utilizes both facial and fingerprint recognition, ensuring robust accessibility for all citizens. Meanwhile, Fintech companies and banks are developing mobile banking apps tailored to a wide range of mobile devices, incorporating online face verification services.
Reflecting on Taiwan’s recent strides with FIDO
Joon: Taiwan has showcased impressive FIDO deployment cases in recent years. Karen, as the chair of the FIDO Taiwan Regional Engagement Forum, can you offer insights on this journey?
Karen: The FIDO Taiwan Regional Engagement Forum (FTF) was formed in 2021, with members spanning IC chip, device, software, system, and application services. As of August 2023, we boast over 25 members and 80 FIDO-certified products. The government’s role in adopting and promoting FIDO standards cannot be understated. The Ministry of Interior joined the FIDO Alliance in 2020 and launched the Taiwan FidO (TW FidO) service. By September 2023, TW FidO was integrated into more than 170 government department systems, encompassing a wide array of services. The Financial Supervisory Commission (FSC) also emphasized the “Research and Development of Standardized Financial Mobile Identification Mechanisms” in the Financial Technology Development Roadmap released in 2020, known as “Financial FIDO”. This allows users to bind their mobile devices with physical financial cards, eliminating the need for traditional physical cards or account/password logins. Several financial institutions are currently piloting this Financial FIDO initiative. Established in August 2022, the Ministry of Digital Affairs (moda) joined the FIDO Alliance in January 2023. Moda has been actively promoting international digital trust standards, like FIDO User Authentication and W3C Decentralized Identifiers, to industries like e-commerce, telecom services, online gaming, semiconductors, and manufacturing, ensuring a seamless and secure authentication experience. In many Asian countries, directives or guidelines from public organizations play a pivotal role in positioning a nation at the forefront of technology adoption. Today, it’s FIDO’s moment. I believe the FTF is on the right trajectory, and FIDO’s popularity is set to soar.
Vietnam’s Path to Simpler and Stronger Online Authentication
Joon: With many members in Vietnam being relatively new to the FIDO Alliance, how do you assess Vietnam’s readiness and the challenges it faces in adopting simpler and stronger online authentication methods?
Simon: Vietnam, like other nations, grapples with an intensifying phishing crisis that poses significant risks to users, agencies, and organizations. Although there are initiatives in place, such as the Anti-Scam Center, which aims to counteract these threats promptly and take down scam sites, their effectiveness is somewhat curtailed due to manual operations and heavy reliance on user awareness. On a brighter note, an increasing number of Vietnamese entities are engaging in the FIDO Alliance’s drive to minimize password reliance. Leading the charge in this passwordless movement in Vietnam are tech frontrunners like VinCSS and MK Group.
Mainland China’s Digital Landscape: Balancing Scale and Security
Joon: Mainland China has one of the largest digital user bases in the world. What unique challenges does this present when considering the adoption of novel simpler and stronger online authentication methods?
Henry: Indeed, in Mainland China, the sheer size of our digital user base brings about unique considerations. For any new security technology to be deployed, there’s an imperative need to consider the diversity in device capabilities. This ensures an optimal user experience for all, especially during the earlier times, before 2019, when not all smartphones were FIDO-enabled. During that period, any deployment of FIDO had to ensure that every user, regardless of their device’s capabilities, had a viable authentication alternative. Additionally, while authentication is a foundational layer, its adoption must align with business returns. When weighed against traditional, albeit less robust, authentication methods such as SMS and OTP, the decision to transition to FIDO becomes multifaceted. In many cases, the end solution is a mix of methods, balancing compatibility with business benefits. Presently, over 90 banks in Mainland China have adopted FIDO technology, and we anticipate this number to grow across different sectors soon.
Discussing South Korea’s technological advancements
Joon: South Korea is renowned for its advanced technological infrastructure. Jaebeom, how does this influence the nation’s approach to adopting new online authentication methods?
Jaebeom: It’s imperative for our country to integrate new authentication methods to facilitate seamless online identity verification for the public. In this quest, the South Korean government and associated agencies prioritize two critical aspects:
Technical Standards and Service Guidelines: We aim for consistent user experiences across platforms, irrespective of the service providers involved. This demands clear technical standards and robust service operation guidelines.
Legal Framework: Many online services require a solid legal basis for identity verification. Thus, legislative amendments and continued dialogues across the private sector, government, and academia are essential to formulating appropriate legal frameworks. Even if it is time-consuming, this step is indispensable. While our focus leans towards new online authentication methods, it’s equally important to ensure stability in both legacy and new systems, guaranteeing that all citizens can access online identity verification without hitches.
Japan – On the rise and acceptance of passkeys
Joon: Given the unified efforts of the FIDO Alliance Japan Working Group and its members, Japan leads in passkey deployments. Kubo-san, can you discuss the current trend and acceptance of passkeys in Japan?
Kubo-san: This year, I’ve observed several RPs deploying synced passkeys. While some organizations have long supported FIDO technology and embraced synced passkeys, others began their FIDO journey with synced passkeys only in 2023. This dynamic suggests that the momentum for passkey deployment is only set to accelerate. From a user perspective, awareness of passkeys is gradually heightening in Japan. Tech enthusiasts frequently discuss passkeys on social media, and according to Google Trends, search queries related to passkeys have surged. We’re in the early stages of a passwordless era in Japan, and I eagerly anticipate the broader acceptance and deployment of passkeys.
Delving deeper into phishing-resistant solutions in Thailand
Joon: Khanit, how can Thailand ensure that its authentication strategy remains robust and beneficial for online users? Would adopting phishing-resistant authentication solutions be advantageous?
Khanit: To bolster online security, Thailand has undertaken multiple strategies. We’re raising awareness through collaborative efforts with global bodies like the FIDO Alliance and defining digital ID standards that embed secure identity proofing and authentication methods. This lays down a foundational benchmark for users and service providers alike. Additionally, we’ve amended the Electronic Transaction Act to clearly delineate the responsibilities of service providers in guaranteeing authentication security and quality. Undoubtedly, integrating phishing-resistant authentication solutions, which use cryptographic techniques over vulnerable methods like PINs or passwords, would be a strategic advantage. Such solutions inherently offer heightened protection against phishing threats and pose a more formidable challenge for attackers compared to conventional methods.
Discussing Taiwan’s firm stance on cybersecurity
Joon: Could you provide an overview of the cybersecurity landscape in Taiwan and identify any notable trends?
Karen: In Taiwan, the zero-trust network security approach has become a pivotal national strategy. The sixth “National Information Security Development Plan (2021-2024)” was announced in February 2021, advocating for the Zero-Trust Architecture across government agencies and industries. The Taiwanese government has mapped out a comprehensive plan for implementing the zero-trust architecture, piloting validation and deployment mechanisms in 2021-2022. Central to this plan are three core mechanisms: identity authentication, device authentication, and trust inference. We place a significant emphasis on multi-factor authentication mechanisms that leverage the FIDO2 standard, allowing passwordless logins using physical security keys or mobile apps. By the end of August 2023, 12 vendors had cleared the government’s Zero Trust Architecture Identity Authentication Compliance Program. All these vendors deploy FIDO-certified solutions for user authentication. In 2023, numerous government agencies and businesses adopted this zero-trust framework in collaboration with these vendors. By incorporating phishing-resistant user authentication mechanisms, like FIDO’s standards, we have enhanced the security of online services, spanning national critical infrastructure, government services, and key industries. Moreover, FIDO’s certification program fosters trust between service providers, vendors, users, and the general populace.
Reflecting on the importance of FIDO certifications in Korea
Joon: Over the years, FIDO’s certification programs have been instrumental in globally promoting standardized technology adoption. Jaebeom, given that Korea is seen as an early FIDO authentication adopter, can you share your observations?
Jaebeom: Authentication essentially certifies a product’s fitness for its intended purpose, which means it’s more about validating product quality than being a mere badge of honor. As new technologies emerge and mature, the relative importance of certification programs wanes. This is primarily due to the initial imperfections in technology specifications and the lack of testing tools and products during the nascent stages. Certification programs then play a crucial role in harmonizing standards, products, and policies while ironing out these issues. As technology matures, these initial challenges are naturally addressed through iterative processes, and certification programs fulfill their designated roles more organically.
Lessons from Early FIDO Adopters: Mainland China
Joon: Henry, as the Co-Chair of one of the very first regional working groups, what insights can you offer the audience regarding early FIDO adoption, ecosystem cultivation, and so on?
Henry: FIDO is a novel authentication technology with clear benefits in security and user experience, but it also requires consumer devices like smartphones to be compatible. It takes time for the whole ecosystem to gradually embrace FIDO and incorporate its capabilities. The FIDO China Working Group collaborated closely with domestic phone OEMs in Mainland China to promote the FIDO concept and accelerate its implementation on devices. Simultaneously, we worked with the FIDO Alliance to establish the world’s first accredited certification lab at CAICT, Mainland China.
Recap of the FIDO APAC Summit 2023 – Vietnam
Joon: Simon, you co-hosted the FIDO APAC Summit 2023 in Vietnam back in August successfully. Can you reflect on the event and share any insights or observations you took away from the experience?
Simon: The inaugural FIDO APAC Summit 2023 truly exceeded our organizing committee’s expectations. Drawing a diverse crowd with over 300 attendees spanning 12 countries, it was heartening to witness such a convergence of perspectives and expertise. With 29 eminent speakers from diverse sectors, the summit facilitated rich discussions, paving the way for meaningful collaborations. A particularly noteworthy highlight was Vietnam’s Ministry of Information and Communications (MIC) joining the ranks as the 10th government-level member of the FIDO Alliance, underscoring our collective dedication to elevating digital authentication standards. This resonated beyond the venue, with our summit receiving comprehensive media coverage across multiple prestigious platforms. Having proudly co-hosted this foundational event, VinCSS is eager to continue endorsing, supporting, and championing its future iterations, as we envisage it becoming a cornerstone event in the APAC digital landscape.
Envisioning the collective journey with FIDO in APAC
Joon: Looking at the broader APAC region’s push towards harmonized phishing-resistant online authentication, how do you view the role and contributions of FIDO Alliance members?
Kubo-san: For years, our collective aim has been to realize a phishing-resistant, passwordless world through FIDO. But achieving this vision is not a solitary endeavor. It requires collaboration with diverse stakeholders to foster a world where everyone recognizes and effortlessly uses passkeys. FIDO alliance members can spearhead this initiative by sharing their deployment experiences and persuading yet-to-adopt service providers. Additionally, a joint effort is required to amplify consumer awareness and understanding of passkeys. FIDO technology, especially passkeys, boasts a remarkable retention rate. Once users experience it, they appreciate its intuitive usability. Therefore, it’s imperative for us, as proponents of passkeys, to emphasize that FIDO isn’t just about phishing resistance—it’s also about enhancing user experience. And that’s not just a marketing spiel—it’s the reality.
Closing
To every attendee of Authenticate 2023 reading this, we extend our heartfelt gratitude for your dedication to making online authentication simpler and stronger. As we navigate this ever-evolving domain, we warmly encourage you to continue these conversations by connecting with the FIDO members featured in this dialogue, ensuring our collective discussions remain fruitful and dynamic.
