ID and password authentication is used for a wide variety of purposes, including logging in to networks or using bank ATMs. Although this authentication method is easy to use, IDs and passwords are at risk of leakage and theft, and likely to be misused. In such circumstances, FIDO (Fast IDentity Online) authentication using biometric information, which can achieve the balance between usability and security, is now attracting attention.
[Fujitsu Insight 2017 Security Seminar Report]
FIDO Biometric Authentication Attracting Attention to Address Ever-increasing Security Damage, Facing the Limitations of Memory-Dependent ID Authentication
It is said that approximately 1.22 billion cases of personal information leakage occur (*) and approximately 40% of companies suffer some kind of security damage in a year (**) worldwide. For individuals, what is particularly problematic is the damage from unauthorized access. It is reported that approximately 90% of damage is caused by crimes involving illegal money transfers through Internet banking and unauthorized purchases at online shops resulting from identity theft (***). To solve this problem, it is important to strengthen identity authentication used to verify the identity/authenticity of individuals.
There are three identity authentication methods: memory-based authentication using IDs, passwords and PIN codes; possession authentication using one-time password tokens; and biometric authentication using fingerprints and irises.
Although ID and password authentication is most frequently used in various services worldwide, it involves the risk of personal information theft by phishing attacks in which criminals pretending to be a financial institution or other trusted company send fraudulent emails to victims. However, if we try to make the password operation complicated to enhance security, usability is reduced. Although, security can be enhanced by combining possession authentication and biometric authentication, this may also cause problems and risks related to usability and costs.
*: Symantec's 2017 Internet Security Threat Report
**: Kaspersky Lab Report: Measuring the Financial Impact of IT Security on Businesses
***: Minister of Economy, Trade and Industry: State of Incidence of Unauthorized Access and Research and Development of Technologies relating to Access Control Functions (2017)
FIDO Authentication That Balances Security with Usability
Given this situation, FIDO has been attracting attention as a new authentication alternative to passwords that provides security and a high level of reliability, while ensuring usability or user experience (UX). FIDO is an online biometric authentication method that uses sensors in users' devices such as PCs and smartphones. FIDO enables identity authentication without requiring any special facilities, allowing an easy and secure login without a password to pay online and use other online services.
FIDO has three features.
Firstly, biometric information is not stored on the server. Authentication is performed in the user's device using biometric information stored on the device, and only the encrypted authentication results are sent to the server. For this reason, online service providers do not need to keep users' biometric information, which prevents biometric information from flowing out from networks and servers whereby ensuring safety with no risk of data leakage.
Secondly, FIDO supports various devices and authentication methods. Dedicated hardware is not necessary because devices such as smartphones, tablets and PCs used daily by users can be used for authentication.
Thirdly, FIDO authentication is an international standard. The FIDO Alliance, an organization comprising more than 250 companies worldwide, including standardization organizations, has established the FIDO standard and is working on next-generation online authentication. This standard is a promising standard and expected to become the de facto standard for online authentication going forward.
Fujitsu's online biometric authentication service Finplex Online Authentication Service for FIDO is a SaaS product that provides FIDO-based authentication functionality. Based on the technologies cultivated in the development of smart devices, sensors, servers and cloud computing, and by leveraging its partnership with Nok Nok Labs, a founding member of the FIDO Alliance, Fujitsu is able to globally provide one-stop FIDO implementation support services tailored to each customer's needs.
Developing FIDO-based Integrated Services for Mizuho Financial Group
Mizuho Financial Group, consisting of Mizuho Bank, Mizuho Trust & Banking Co., Ltd., Mizuho Securities, and other groups covering various areas, is looking to become a global, open comprehensive financial group under the slogan, "One MIZUHO." It is also focusing on Fintech to carry out various management strategies. Fintech involves various technology components. Among them, Mizuho would like to utilize FIDO, a new model for authentication, in place of password authentication.
Easy to Log in to Internet Banking Applications with FIDO
As you know, the number of illegal money transfers has been increasing in Internet banking across all financial institutions. So, carrying out various measures regarding security measures is a very important management issue at Mizuho. It has already introduced one-time password tokens, but recognizes that there is a problem in using them. In addition, while the number of smartphone users is increasing, urgent measures need to be taken for smartphones, in place of PCs, which have been mainstream until now. Against this backdrop, Mizuho Financial Group has adopted FIDO for Mizuho Direct Application, a smartphone application for Internet banking, and started providing this service in October.
Specifically, it has become possible to log in to Mizuho Direct Application using biometric information, such as fingerprints, face and iris depending on the device. Currently this is a service specifically for logging in; however, we will expand the scope of services to include making withdrawals and payments.
Key Points for Selecting Fujitsu's FIDO
One of the key points in selecting a FIDO is that it is capable of ensuring security without compromising usability and that it can be used without having to store individuals' biological information. Another key point is that there is no need to prepare new devices on the use side to enable speedy responses and cost reductions.
There are several reasons why Mizuho adopted Fujitsu's FIDO, and among them, the most important was its support and promotion system. Fujitsu is able to offer a promotion system properly based on the specifications developed by Nok Nok Labs, a FIDO Alliance board member, as well as a robust global support system. Another factor was Mizuho's relationship of trust with Fujitsu accumulated through a proven track record of deploying accounting and sales systems because Mizuho needs to steadily provide services as a financial institution.
To introduce FIDO to the system of this banking application, Mizuho utilized Fujitsu's online biometric authentication service. The FIDO authentication server resides in Fujitsu's cloud environment and the FIDO client is installed in the banking application. Logging in with biometric authentication requires several features, including a data deletion feature after authentication. Fujitsu's service includes such features, which enabled speedy deployment in only about six months, starting from defining the requirements to the product launch.
Mizuho is considering not only biometric authentication login, but also various future developments. Utilizing this service as the FIDO platform, which serves as the core for integrating intra-bank systems, stores, ATMs, and other various services, Mizuho also would like to focus on developing integrated services, combining banking, trust, securities, and credit services.
Taiji Sudo IT & Systems Control Department No. 1
Mizuho Bank, Ltd.
Michihiko Ejiri Vice President of the Front Digital Service Business Division
Innovative IoT Business Unit