Selfie image kakao bank
Selfie image kakao bank
Case study

Kakao Bank's Selfie Authentication

swIDch significantly enhanced security whilst improving user experience by developing
a world-first solution for a leading challenger bank in South Korea

Case_KaKao_2

Kakao Bank launched a Self-camera (selfie) one-time password (OTP) service in December 2022, which allows users to authenticate themselves by simply taking a selfie without the need for a physical OTP device. Kakao Bank has enhanced security using a method that involves capturing a real-time image of the customer's face rather than simply inputting numbers while increasing convenience for customers by allowing high-value transfers without a physical OTP device. swIDch's OTAC-based mOTP, applied to Kakao Bank's selfie OTP, provides security and convenience at the same time by generating and authenticating a dynamic code that never overlaps using unique values corresponding to its user's face for the first time in Korea.

case_kakao_1

Challenges

OTP authentication is essential for high-value transfers exceeding KRW 10 million in most banks, including Kakao Bank. For this reason, it is necessary to issue a physical OTP in the form of a card or token, or a mobile OTP in which a PIN number is entered. However, physical OTP has a complicated issuance process and mobile OTP using PIN numbers has its own inherent vulnerabilities. In addition, while mobile OTP is convenient as it only requires a user’s smartphone, they must remember the PIN number and endure the inconvenience of having to enter it themselves, similar to the card-type OTP.

As a result, Kakao Bank decided to prioritise customer user experience by allowing high-value transfers without requiring a physical OTP, while also enhancing security through a method that involves taking a photo of the customer's face instead of simply entering a code. Kakao Bank's Selfie OTP is issued by having customers register a selfie photo, which is then compared to a government-issued ID photo to confirm the customer's identity. After initial use, future authentication happens by comparing the customer's registered selfie photo to a real-time selfie photo for identity verification, thus innovatively overcoming the inconvenience of having to remember usernames and passwords every time.

Kakao Bank focused on implementing a mobile OTP technology that utilizes facial recognition information, which can provide both enhanced security and convenience, surpassing the limitations of the existing mobile OTP.

The Solution

The OTAC-based mOTP applied to Kakao Bank's selfie authentication is a mobile OTP that can be easily used for services requiring strong authentication. It first verifies the user's authentication information, such as a registered PIN or biometric information, before generating the OTP and using it as a linked value for encryption to enhance security. In addition, the technology generates an OTP linked to financial transaction information such as the recipient's name/account number and transfer amount for authentication, which can more safely respond to memory hacking or man-in-the-middle attacks (MITM).

Most importantly, the OTAC-based mOTP boasts unique technological capabilities by using the unique information corresponding to the facial biometric information as one of the seed values for generating the mobile OTP when the facial comparison is successful.

Card tapping mOTP_4-1

Technology comparison / Smart OTP / Mobile OTP / Card-tagging Mobile OTP
Unique user identification (1st level authentication available) / 0% possibility of code duplication with other users / Compatibility with iPhone / Skip additional information input steps (e.g. PIN)

swIDch's OTAC-based mOTP not only enhances security, which is the core of financial services, but also provides the fastest and most convenient authentication service in the most evolved form of technology that generates mobile OTP using facial recognition information for the first time in Korea. The existing OTPs were only used for 2-factor authentication purposes after ID & password or biometric login. On the other hand, OTAC allows for unique user identification and eliminates the possibility of code duplication with other users, enabling unrestricted access to financial services with just a single authentication. In addition, during the process of using financial services, it is possible to perform both initial authentication and second authentication for high-value transfers and transactions in one go.

Expected effect

Efforts to enhance security while ensuring convenience in financial transactions have been ongoing. Especially for Kakao Bank, which has a higher percentage of young users who are familiar with smart devices, it is essential to use trendy technology that can secure convenience for users and expand demand, more than traditional banks.

The combination of facial recognition biometric information, known as the safest unique identifier, and authentication allows financial institutions to increase operational efficiency and reduce costs associated with issuing OTP-specific cards. In addition, this approach is easier, faster, more accurate, safer, and more convenient compared to existing authentication, identification, and access methods offered by passwords, keys, codes, and cards.

Why swIDch

OTAC, developed by swIDch, is the original technology
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Why swIDch
DYNAMIC CODE that is
sufficient to IDENTIFY user
Single-step IDENTIFICATION
and AUTHENTICATION
Uni-directional authentication in
off-the-network environment

Single-step identification and authentication with the code alone. Include our biometric option and get single-step MFA. Vastly improved UX by removing steps.

OTAC is a dynamic code, which means the code is constantly changing. Eliminates all use of static information. Forget usernames and passwords forever. Vastly reduced workload for IT helpdesks. 

No network connection required for generating OTAC, enabling uninterrupted use no matter where you are. No more waiting for additional tokens/OTPs and no need for heavy public key infrastructure (PKI). 

 

Highly configurable code parameters and lightweight SDK/applet means wide range of deployment options on many devices across multiple sectors.