Toss Bank, a leading Korean online-only bank with over 20 million users needed an authentication service that simultaneously guarantees user convenience and security to provide “simple and reliable financial services.” swIDch’s “switch-OTP” embedded in Toss Bank’s debit card, makes it possible to transfer large sums of money by simply tapping the card on the back of smartphones. It supports the iOS operating system, which was highlighted as a major limitation of smart one-time password (OTP) at the time of development.
Mobile Finance as it Should be
Toss's mission is to resolve inconveniences in Korean finance. It designs services that are simple, logical, and intuitive to use, without compromising security.
Toss Bank’s main objective was to find a convenient and secure authentication service providing consistent experiences regardless of the user’s mobile operating system (OS) while overcoming the existing OTP’s limitations.
At the time, banking and financial OTP users were required keep physical OTP generators such as a card or stick for mobile banking and directly enter personal identification numbers (PINs) for each transaction. Mobile OTP users on the other hand enjoyed relative convenience because only a smartphone was required, although they still needed to remember their PIN number and endure the hassle of having to manually enter the number just like general OTP users.
Smart OTP emerged to solve both inconveniences, but there are still clear limitations including the requirement for a separate card. Generating OTP numbers by tapping a card on a smartphone is clearly a step forward in terms of technology. However at the time it did not support iOS, used by more than 25% of users worldwide.
swIDch’s card-tapping OTP generation technology focuses on user convenience. It is embedded in Toss Bank’s payment card (instead of a separate Smart OTP card) and allows users to transfer large remittance services by simply tapping their payment card on the back of their smartphone.
Since the payment card itself generates OTPs, users no longer have to carry around a separate token device or be concerned about its battery or expiry date. There is no need to enter passwords to generate an OTPs, and no hassle of typing OTP digits manually. A simple tap on the back of a smartphone is enough to authenticate a user securely and accurately.
When swIDch developed the OTAC-based switch-OTP, standard smart OTP technology required two-way (bi-directional) communication with smartphones, supported only by Android OS. Smart OTP was not available in iOS due to operational limitations.
However, swIDch's One-Time Authentication Code (OTAC) technology applied to Toss Bank's 'switch-OTP' is unidirectional (one-way) and transmits dynamic codes generated through card tapping on the back of the smartphone onto the server, so it can be applied to iOS as well. As a result, by overcoming the limits of smart OTP (criticized as an Android-only service) switch-OTP allows iPhone users to benefit from the same service.
The User-friendly switch-OTP service provides the most advanced form of secure authentication service in terms of 'security', the core of all financial services. swIDch’s award-winning OTAC utilises near field communication (NFC) technology to authenticate Toss Bank users as they complete financial services by tapping their cards on the backs of their smartphones. In addition, they can even proceed to 2FA for high value remittances and transfers.
While standard OTP is used only for secondary login method after ID/PW or biometric login, OTAC applied to the switch-OTP enables unique single-step user identification and there is no possibility of code duplication with other users. Therefore, OTAC allows users to use financial services without restriction using only primary authentication.
Given that the use of online banking for financial transactions is increasing, financial service firms must provide easy-to-use financial services safe from external threats.
An authentication service that can be used by tapping a card regardless of the OS leads to a vastly expanded user base, including the mobile native generation familiar with smart devices and older generations who are more focused on financial transaction security.
The most advanced form of the new OTAC authentication service can also be used for 2FA to increase security further for financial transactions, such as high value remittances. It can also be extended to primary authentication services to protect personal information and can be used in critical financial services required in a new non-face-to-face era.
In addition, because the payment card itself plays the role of an OTP token device, Toss Bank saves costs associated with hardware OTP (including issuance, replacements, and administration) while maintaining the highest level of security. Combining a physical payment card and an authentication service provides a clear boost to business.
With the newly enhanced card becoming an essential tool for Toss Bank customers, having the physical card means their customers are more likely to use this card for other transactions, leading to increases in revenue for the bank.
that provides all of the following features, tested and substantiated
by the University of Surrey technical report
Sufficient to IDENTIFY user
that does NOT duplicate
in off-the-network environment
OTAC is a dynamic code, which means the code keeps changing. As a result, you don’t need to worry about any leak of your personal information, such as
your card details, because the codes must have already been changed when others try to use them.
The network connection is NOT necessary at all for generating OTAC.
Reducing an authentication stage that requires the network connection directly means there are fewer gateways for
the hackers to access our personal information.
Moreover, this feature enables users
to authenticate even when they are
in networkless environments, such
as on the plane, underground, rural or foreign areas.
swIDch can guarantee that the code never duplicates with anyone
at any given moment.
There is NO chance of someone else having the same code.
The users or their devices can be identified with the code alone.
Once OTAC has been generated, providing OTAC alone is already fully sufficient to identify the user as the code is unique.
It means, you can forget about the bundles of static information including IDs and passwords.