Toss Bank, a leading Korean online-only bank with over 20 million users needed an authentication service that simultaneously guarantees user convenience and security to provide “simple and reliable financial services.” SSenStone’s “switch-OTP” embedded in Toss Bank’s debit card, makes it possible to transfer large sums of money by simply tapping the card on the back of smartphones. It supports the iOS operating system, which was highlighted as a major limitation of smart one-time password (OTP) at the time of development.
● Visions
Mobile Finance as it Should Be
Toss's mission is to resolve inconveniences in Korean finance. It designs services that are simple, logical, and intuitive to use, without compromising security.
● Challenges
Toss Bank’s main objective was to find a convenient and secure authentication service providing consistent experiences regardless of the user’s mobile operating system (OS) while overcoming the existing OTP’s limitations.
At the time, OTP users were required to keep physical OTP generators such as a card or stick for mobile banking and directly enter personal identification numbers (PINs) for each transaction. Mobile OTP users on the other hand enjoyed relative convenience because only a smartphone was required, although they still needed to remember their PIN number and endure the hassle of having to manually enter the number just like general OTP users.
Smart OTP emerged to solve both inconveniences, but there are still clear limitations. Creating an OTP number by tapping a card on a smartphone is clearly a huge step forward in user convenience, but at the time it did not support iOS, used by more than 25% of users worldwide.
● Solutions
SSenStone’s card-tapping OTP generation technology focuses on user convenience. It is embedded in Toss Bank’s payment card and allows users to transfer large remittance services by simply tapping the card on the back of their smartphone.
Since the payment card itself generates OTPs, users no longer have to carry around a separate token device or be concerned about its battery or expiry date. There is no need to enter a password to generate an OTP, and no hassle of typing in the OTP digits manually. A simple tapping on the back of a smartphone is enough to authenticate a user securely and accurately.
.jpg?width=600&name=case_2_toss_%20(1).jpg)
When SSenStone developed the OTAC-based switch-OTP, smart OTP required two-way communication with a smartphone, supported only by Android OS. Smart OTP was not available in iOS due to various restrictions of iOS, which is bisecting the mobile OS market along with Android.
However, One-Time Authentication Code (OTAC) technology applied to the switch-OTP is unidirectional (one-way) and transmits the dynamic code generated through card tapping in the back of the smartphone into the server, so it can be applied to iOS as well. As a result, by overcoming the limits of smart OTP (criticized as an Android-only service) switch-OTP allows iPhone users to benefit from the same service.
The User-friendly switch-OTP service provides the most advanced form of secure authentication service in terms of 'security', the core of all financial services. SSenStone’s award-winning OTAC utilizes near-field communication (NFC) technology to authenticate Toss Bank users as they complete financial services by tapping their cards on the backs of their smartphones. In addition, they can even proceed to 2FA for high-value remittances and transfers.
While standard OTP is used only for secondary login methods after ID/PW or biometric login, OTAC applied to the switch-OTP enables unique single-step user identification and there is no possibility of code duplication with other users. Therefore, OTAC allows users to use financial services without restriction using only primary authentication.
.jpg?width=3509&name=case_en_2_toss_%20(1).jpg)
● Expected Effects
Given that the use of online banking for financial transactions is increasing, financial service firms must provide easy-to-use financial services safe from external threats.
An authentication service that can be used by tapping a card regardless of the OS leads to a vastly expanded user base, including the mobile native generation familiar with smart devices and older generations who are more focused on financial transaction security.
The most advanced form of the new OTAC authentication service can also be used for 2FA to increase security further for financial transactions, such as high-value remittances. It can also be extended to primary authentication services to protect personal information and can be used in critical financial services required in a new non-face-to-face era.
In addition, because the payment card itself plays the role of an OTP token device, Toss Bank allows its customers to save costs associated with the purchase of hardware OTP (including issuance, replacements, and administration). Combining a physical payment card and an authentication service provides a clear boost to business.
With the newly enhanced card becoming an essential tool for Toss Bank customers, having the physical card means Toss Bank customers are more likely to use this card for other transactions, leading to increases in revenue for the bank.
.jpg?width=3509&name=case_en_2_toss_%20(2).jpg)
