Selfie image kakao bank
Selfie image kakao bank
Case study

Kakao Bank's Selfie Authentication

swIDch significantly enhanced security whilst improving user experience by developing
a world-first solution for a leading challenger bank in South Korea


Kakao Bank launched a Self-camera (selfie) one-time password (OTP) service in December 2022, which allows users to authenticate themselves by simply taking a selfie without the need for a physical OTP device. Kakao Bank has enhanced security using a method that involves capturing a real-time image of the customer's face rather than simply inputting numbers while increasing convenience for customers by allowing high-value transfers without a physical OTP device. swIDch's OTAC-based mOTP, applied to Kakao Bank's selfie OTP, provides security and convenience at the same time by generating and authenticating a dynamic code that never overlaps using unique values corresponding to its user's face for the first time in Korea.



OTP authentication is essential for high-value transfers exceeding KRW 10 million in most banks, including Kakao Bank. For this reason, it is necessary to issue a physical OTP in the form of a card or token, or a mobile OTP in which a PIN number is entered. However, physical OTP has a complicated issuance process and mobile OTP using PIN numbers has its own inherent vulnerabilities. In addition, while mobile OTP is convenient as it only requires a user’s smartphone, they must remember the PIN number and endure the inconvenience of having to enter it themselves, similar to the card-type OTP.

As a result, Kakao Bank decided to prioritise customer user experience by allowing high-value transfers without requiring a physical OTP, while also enhancing security through a method that involves taking a photo of the customer's face instead of simply entering a code. Kakao Bank's Selfie OTP is issued by having customers register a selfie photo, which is then compared to a government-issued ID photo to confirm the customer's identity. After initial use, future authentication happens by comparing the customer's registered selfie photo to a real-time selfie photo for identity verification, thus innovatively overcoming the inconvenience of having to remember usernames and passwords every time.

Kakao Bank focused on implementing a mobile OTP technology that utilizes facial recognition information, which can provide both enhanced security and convenience, surpassing the limitations of the existing mobile OTP.

The Solution

The OTAC-based mOTP applied to Kakao Bank's selfie authentication is a mobile OTP that can be easily used for services requiring strong authentication. It first verifies the user's authentication information, such as a registered PIN or biometric information, before generating the OTP and using it as a linked value for encryption to enhance security. In addition, the technology generates an OTP linked to financial transaction information such as the recipient's name/account number and transfer amount for authentication, which can more safely respond to memory hacking or man-in-the-middle attacks (MITM).

Most importantly, the OTAC-based mOTP boasts unique technological capabilities by using the unique information corresponding to the facial biometric information as one of the seed values for generating the mobile OTP when the facial comparison is successful.

Card tapping mOTP_4-1

Technology comparison / Smart OTP / Mobile OTP / Card-tagging Mobile OTP
Unique user identification (1st level authentication available) / 0% possibility of code duplication with other users / Compatibility with iPhone / Skip additional information input steps (e.g. PIN)

swIDch's OTAC-based mOTP not only enhances security, which is the core of financial services, but also provides the fastest and most convenient authentication service in the most evolved form of technology that generates mobile OTP using facial recognition information for the first time in Korea. The existing OTPs were only used for 2-factor authentication purposes after ID & password or biometric login. On the other hand, OTAC allows for unique user identification and eliminates the possibility of code duplication with other users, enabling unrestricted access to financial services with just a single authentication. In addition, during the process of using financial services, it is possible to perform both initial authentication and second authentication for high-value transfers and transactions in one go.

Expected effect

Efforts to enhance security while ensuring convenience in financial transactions have been ongoing. Especially for Kakao Bank, which has a higher percentage of young users who are familiar with smart devices, it is essential to use trendy technology that can secure convenience for users and expand demand, more than traditional banks.

The combination of facial recognition biometric information, known as the safest unique identifier, and authentication allows financial institutions to increase operational efficiency and reduce costs associated with issuing OTP-specific cards. In addition, this approach is easier, faster, more accurate, safer, and more convenient compared to existing authentication, identification, and access methods offered by passwords, keys, codes, and cards.

Why swIDch

OTAC, developed by swIDch, is the original technology
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Why swIDch
Sufficient to IDENTIFY user
DYNAMIC Authentication code
that does NOT duplicate
Uni-directional authentication
in off-the-network environment

OTAC is a dynamic code, which means the code keeps changing. As a result, you don’t need to worry about any leak of your personal information, such as
your card details, because the codes must have already been changed when others try to use them.

The network connection is NOT necessary at all for generating OTAC.

Reducing an authentication stage that requires the network connection directly means there are fewer gateways forthe hackers to access our personal information.

Moreover, this feature enables usersto authenticate even when they arein networkless environments, suchas on the plane, underground, rural or foreign areas.

swIDch can guarantee that the code never duplicates with anyone
at any given moment.

There is NO chance of someone else having the same code.

The users or their devices can be identified with the code alone.

Once OTAC has been generated, providing OTAC alone is already fully sufficient to identify the user as the code is unique.

It means, you can forget about the bundles of static information including IDs and passwords.