Corporate overview and challenge

As the “CASE” trend is gaining ground in the automotive industry, Toyota Motor Corporation, a leader and evolving company in the industry, is changing its model from a “car company” to a “mobility company”. In the area of “C: Connected,” Toyota is working to realize its vision of “Mobility for All – Freedom and Enjoyment of Mobility for All People,” and is developing a number of new services, including a “digital key” that allows the use of smartphones as keys, as well as a website and smartphone applications, for a wide range of users.

The “TOYOTA/LEXUS common ID” (“common ID”), a customer authentication service for safe and comfortable use of various services provided by Toyota, plays an important role in the provision of a series of services. The 5 million TOYOTA common IDs are linked to about 40 different services, and the multiple smartphone applications provided to customers required the input of IDs/passwords for each application.

FIDO 2 deployment

Toyota Motor Corporation has decided to deploy FIDO authentication as an optional authentication function for the “Common ID,” the major advantage of which is that by registering FIDO authentication credentials in advance, users will no longer need to go through the process of entering their ID/password each time they use each smartphone application.

Prior to deploying FIDO authentication, Toyota Motor Corporation had been using one-time password authentication and backup code authentication as a means of multi-factor authentication for common IDs. The main reason for choosing FIDO as one of the new options for multi-factor authentication this time was the consideration of the robust security and usability of FIDO authentication. By utilizing FIDO, which is a multi-factor authentication that involves possession using biometrics on the smartphone used in everyday life, a high level of security was ensured, and it also contributed to an improved user experience.

NRI Secure Technologies, Inc. (NRI Secure), which manages common IDs, has an authentication infrastructure called “Uni-ID Libra” that is compliant with FIDO authentication, and we requested their cooperation for implementation.

Until the introduction of FIDO authentication for iOS and Android devices, the differences in behavior depending on the OS (whether or not Discoverable Credential (formerly known as Resident Key) is supported, explicit user interaction during key registration is required for Safari for iOS, etc.) The issue was the impact on the UX.In the end, we were able to absorb the differences in UX by modifying the authentication web screen, and this led to a solution.

With this implementation, Toyota Motor Corporation has also focused on the importance of designing the life cycle of FIDO authenticators together. In providing services, it is necessary to prepare not only for authentication, but also for registration, device switching, and account recovery in case of loss. If other companies that provide services to consumers consider FIDO authentication, they should have a method that can maintain security strength when switching devices or recovering accounts.

OVERVIEW
Toyota Motor Corporation, headquartered in Toyota City, Japan, is Japan’s largest automobile manufacturer.

C (Connected):
IoT for automobiles

A (Autonomous):
Automated driving

S (Shared & Services):
From ownership to sharing

E (Electric):
Electric vehicles

“With the expansion of the connected strategy, the number of operations that can be carried out on smartphone applications and websites has been increasing. While convenient, they can also lead to accidents if misused, so more security measures are required. We believe that FIDO authentication will contribute as one piece to continue providing convenient and safe mobility services to our customers.”

Finally, Masatoshi Hayashi, Toyota Motor Corporation’s Connected Company Value Chain Infrastructure Development Department, who spoke with us about this case study, made the following comments.

(*) To obtain a common ID and register FIDO credentials, please visit https://id.toyota


More

SURF Uses FIDO2 to Protect Users in the Netherlands

SURF is the shared IT organization for research institutes and universities in the Netherlands. The…

Read More →

How CZ.Nic uses FIDO Authentication 

The Company:  CZ.nic is a domain registry organization in the Czech Republic that has been…

Read More →

How CVS Health Uses FIDO to Secure Its Users

CVS Health is a U.S. healthcare organization that includes multiple operating divisions including retail with…

Read More →