Toss Bank's High Remittance Authentication Service
Toss Bank needed an authentication service that guarantees user convenience
and security to provide an "easy and intuitive financial experience".
We helped them achieve just that...
Toss Bank, a leading Korean online-only bank with over 7 million users needed an authentication service that simultaneously guarantees user convenience and security to provide “simple and reliable financial services.” swIDch’s “switch-OTP” embedded in Toss Bank’s debit card, makes it possible to transfer large sums of money by simply tapping the card on the back of smartphones. It supports the iOS operating system, which was highlighted as a major limitation of smart one-time password (OTP) at the time of development.
Vision
Mobile Finance as it Should be
Toss's mission is to resolve inconveniences in Korean finance. It designs services that are simple, logical, and intuitive to use, without compromising security.
Challenges
Toss Bank’s main objective was to find a convenient and secure authentication service providing consistent experiences regardless of the user’s mobile operating system (OS) while overcoming the existing OTP’s limitations.
At the time, banking and financial OTP users were required keep physical OTP generators such as a card or stick for mobile banking and directly enter personal identification numbers (PINs) for each transaction. Mobile OTP users on the other hand enjoyed relative convenience because only a smartphone was required, although they still needed to remember their PIN number and endure the hassle of having to manually enter the number just like general OTP users.
Smart OTP emerged to solve both inconveniences, but there are still clear limitations including the requirement for a separate card. Generating OTP numbers by tapping a card on a smartphone is clearly a step forward in terms of technology. However at the time it did not support iOS, used by more than 25% of users worldwide.
The solution
swIDch’s card-tapping OTP generation technology focuses on user convenience. It is embedded in Toss Bank’s payment card (instead of a separate Smart OTP card) and allows users to transfer large remittance services by simply tapping their payment card on the back of their smartphone.
Since the payment card itself generates OTPs, users no longer have to carry around a separate token device or be concerned about its battery or expiry date. There is no need to enter passwords to generate an OTPs, and no hassle of typing OTP digits manually. A simple tap on the back of a smartphone is enough to authenticate a user securely and accurately.
When swIDch developed the OTAC-based switch-OTP, standard smart OTP technology required two-way (bi-directional) communication with smartphones, supported only by Android OS. Smart OTP was not available in iOS due to operational limitations.
However, swIDch's One-Time Authentication Code (OTAC) technology applied to Toss Bank's 'switch-OTP' is unidirectional (one-way) and transmits dynamic codes generated through card tapping on the back of the smartphone onto the server, so it can be applied to iOS as well. As a result, by overcoming the limits of smart OTP (criticized as an Android-only service) switch-OTP allows iPhone users to benefit from the same service.
The User-friendly switch-OTP service provides the most advanced form of secure authentication service in terms of 'security', the core of all financial services. swIDch’s award-winning OTAC utilises near field communication (NFC) technology to authenticate Toss Bank users as they complete financial services by tapping their cards on the backs of their smartphones. In addition, they can even proceed to 2FA for high value remittances and transfers.
While standard OTP is used only for secondary login method after ID/PW or biometric login, OTAC applied to the switch-OTP enables unique single-step user identification and there is no possibility of code duplication with other users. Therefore, OTAC allows users to use financial services without restriction using only primary authentication.
Expected Effects
Given that the use of online banking for financial transactions is increasing, financial service firms must provide easy-to-use financial services safe from external threats.
An authentication service that can be used by tapping a card regardless of the OS leads to a vastly expanded user base, including the mobile native generation familiar with smart devices and older generations who are more focused on financial transaction security.
The most advanced form of the new OTAC authentication service can also be used for 2FA to increase security further for financial transactions, such as high value remittances. It can also be extended to primary authentication services to protect personal information and can be used in critical financial services required in a new non-face-to-face era.
In addition, because the payment card itself plays the role of an OTP token device, Toss Bank saves costs associated with hardware OTP (including issuance, replacements, and administration) while maintaining the highest level of security. Combining a physical payment card and an authentication service provides a clear boost to business.
With the newly enhanced card becoming an essential tool for Toss Bank customers, having the physical card means their customers are more likely to use this card for other transactions, leading to increases in revenue for the bank.
Why swIDch
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
sufficient to IDENTIFY user
and AUTHENTICATION
off-the-network environment
Single-step identification and authentication with the code alone. Include our biometric option and get single-step MFA. Vastly improved UX by removing steps.
OTAC is a dynamic code, which means the code is constantly changing. Eliminates all use of static information. Forget usernames and passwords forever. Vastly reduced workload for IT helpdesks.
No network connection required for generating OTAC, enabling uninterrupted use no matter where you are. No more waiting for additional tokens/OTPs and no need for heavy public key infrastructure (PKI).
Highly configurable code parameters and lightweight SDK/applet means wide range of deployment options on many devices across multiple sectors.