While more users are required to provide personal information for websites and online services, personal information security is becoming weaker.
The most commonly used method of online user identification is entering a user name and password. But users typically make a same simple password for multiple sites. Thus, when personal information is illegally acquired from one website, it is then much easier to hack into other sites using the same information. For this reason, personal information leaks and ID theft is becoming more frequent. In order to prevent these problems, it is important to make passwords more complicated and to use different passwords for different websites.
Various solutions for user verification have emerged to solve passwords related issues. Today we will take a look at a secure and easy verification method known as FIDO (Fast Identity Online).
FIDO is a verification service that offers easier and more stable security than the existing method of entering an ID and password.
The verification technology receiving the most attention from the FIDO Alliance is the ‘bio verification technology’. Facial or fingerprint recognition is used to verify the identity of the user by identifying the user’s facial structure or fingerprints on a computer or smartphone. While steps are required to strengthen security in fields such as ‘fintech’, which combines finance and IT, the importance of FIDO is increasing.
The recently announced FIDO verification method implements both UAF, which uses bio-information instead of an ID and password, and U2F, which uses ID and password as well as additional verification devices.
Firstly, UAF (Universal Authentication Framework) saves users’ bio-information such as fingerprints, voice and facial structure on their devices, not on a server. The technology is different from existing bio-verification technology. This does notsave bio-information on a central server by storing bio-information on individually designated hardware such as a smartphone or USIM, IC and HSM chips.This reduces the risk of information leaks.
U2F (Universal Second Factor) implements a second level of verification such as UAF after an ID and password have been entered.
Therefore, the FIDO technology standard provides a more secure system by storing bio-information in independent ‘trust zones’ on individual devices and transmitting only the results of the bio-information verification to a server to complete the process.
In Korea, a public key certificate is nationally used for identity verification in online environment. A public key certificate is a web certificate that is used for ensuring the security of transactions handled over the web such as banking and civil services. This public key certificate is issued only by authentication institutes authorized by Korean government.
A public key certificate is quite secure when the personal key is stored independently. But in Korea, the certificate and the personal key are stored in the same folder (NPKI)in a device.
This method accesses a public key using the personal key and the encrypted verification information is opened using the public key to verify the personal verification information and create a digital signature. A major issue with this method is that the NPKI folder can be copied and moved to a different medium just like any other folder.
Moreover, security is compromised when performing mobile transactions on a smartphone because the verification certificate is stored where the personal key is stored in a public space.
The KISA (Korea Information Security Agency) is developing technology to overcome the limits of verification certificates by combining them with FIDO.
This technology would be implemented by combining bio-verification technology such as fingerprint, iris and facial recognition with public key encryption technology to allow users to store bio-information on their smartphones and connect their smartphones with their computers to for access to verification certificates. Using this method, the transaction process can be completed by running the verification certificate and then verifying user identity via the fingerprint recognition sensor on a smartphone.
Fingerprint recognition functionality does not exist on all smartphones as of yet, but soon most smartphones will have this capability.
With the combination of FIDO and verification certificates (a public key certificate in Korea), bio-information can be used to supplement verification certificates to make mobile transactions much more convenient.
The existing public key certificate in Korea is cumbersome, requiring the installation of ActiveX and the user must also enter a password. But FIDO resolves this issue by making it impossible for others to access transaction applications without the need for passwords by using bio-information verification.
Also, FIDO stores personal information on individual smartphones or designated hardware and not on a central server to reduce the invasion of privacy. For this reason, FIDO will be used more commonly in the near future.
KISA (Korea Internet and Security Agency) anticipates if LG, Samsung and Apple will implement FIDO on their devices, there will be many services that combines FIDO and verification certificates for electronic financial transactions. Furthermore, its use is expected to expand in the field of fintech.
We have now discussed the possibility of combining FIDO bio-verification and verification certificates.
FIDO technology is still in its early stages and it is difficult to find cases of how it can be hacked. There will be a hacker conference to discover the weak points in the technology.
Unfortunately, there is a large weakness that exists in bio-verification technology. That weakness is the inability to modify bio-information. Because bio-verification uses an individual’s bio-information and provides a very secure system, if the bio-information is coped or hacked, that information cannot be then modified to secure the system.
In September of 2015, the security firm FireEye demonstrated how fingerprint verification systems can be hacked on mobile devices at the world famous information security conference, Blackhat 2015. Hackers can use malware to infiltrate the fingerprint verification process and launch attacks that go around ‘trust zones’ to acquire fingerprint information that is stored on mobile devices.
Thus, FIDO will require more support with powerful security technology to work in conjunction with verification certificates.
FIDO technology will require significant changes in order to be connected and developed with smartphones and allow for secure mobile transactions. FIDO is expected to emerge in the PC environment as well as a next generation verification technology.
Written by Seung-Yeon Seok, LG CNS Student Reporter
 FIDO Alliance: An association created by a conglomerate of global companies in June of 2006 to develop technological standards for verification systems and convenient and secure verification systems. Currently there are approximately 200 companies such as Google, Lenovo, Microsoft and Paypal that have joined the alliance and they are using FIDO as the recognized, standardized technology. [back to the article]