Toyota Motor Corporation turns to FIDO Authentication for Enhanced Login in Japan

Corporate overview and challenge

As the “CASE” trend is gaining ground in the automotive industry, Toyota Motor Corporation, a leader and evolving company in the industry, is changing its model from a “car company” to a “mobility company”. In the area of “C: Connected,” Toyota is working to realize its vision of “Mobility for All – Freedom and Enjoyment of Mobility for All People,” and is developing a number of new services, including a “digital key” that allows the use of smartphones as keys, as well as a website and smartphone applications, for a wide range of users.

The “TOYOTA/LEXUS common ID” (“common ID”), a customer authentication service for safe and comfortable use of various services provided by Toyota, plays an important role in the provision of a series of services. The 5 million TOYOTA common IDs are linked to about 40 different services, and the multiple smartphone applications provided to customers required the input of IDs/passwords for each application.

FIDO 2 deployment

Toyota Motor Corporation has decided to deploy FIDO authentication as an optional authentication function for the “Common ID,” the major advantage of which is that by registering FIDO authentication credentials in advance, users will no longer need to go through the process of entering their ID/password each time they use each smartphone application.

Prior to deploying FIDO authentication, Toyota Motor Corporation had been using one-time password authentication and backup code authentication as a means of multi-factor authentication for common IDs. The main reason for choosing FIDO as one of the new options for multi-factor authentication this time was the consideration of the robust security and usability of FIDO authentication. By utilizing FIDO, which is a multi-factor authentication that involves possession using biometrics on the smartphone used in everyday life, a high level of security was ensured, and it also contributed to an improved user experience.

NRI Secure Technologies, Inc. (NRI Secure), which manages common IDs, has an authentication infrastructure called “Uni-ID Libra” that is compliant with FIDO authentication, and we requested their cooperation for implementation.

Until the introduction of FIDO authentication for iOS and Android devices, the differences in behavior depending on the OS (whether or not Discoverable Credential (formerly known as Resident Key) is supported, explicit user interaction during key registration is required for Safari for iOS, etc.) The issue was the impact on the UX.In the end, we were able to absorb the differences in UX by modifying the authentication web screen, and this led to a solution.

With this implementation, Toyota Motor Corporation has also focused on the importance of designing the life cycle of FIDO authenticators together. In providing services, it is necessary to prepare not only for authentication, but also for registration, device switching, and account recovery in case of loss. If other companies that provide services to consumers consider FIDO authentication, they should have a method that can maintain security strength when switching devices or recovering accounts.