DualAuth Our logo is a stylized expression of the Chinese philosophy of Yin and Yang, applied to the online authentication process. We bring serenity and safety by including the needs of both the user and the server while excluding those who would cause harm.
We Believe: The market will soon require: Authentication without Passwords Use of Mobile as Authentication device Bi-Directional Authentication of both the User and the Server
Parent Company Introduction www.estorm.co.kr 17 Years of Company History Specialized in professional enterprise S/W development and provided SI services to the Financial Market Provided Cloud Solution to the NHIS company Provided Cloud Solution to the KB card company Created an integrated Groupware Filing Planner, now used by more than 20 companies Developing OTP solutions since 2013 Multiple patents for Mutual Authentication technologies Uses Mobile as authentication device In use by Korea Telecom, Lush Korea, and Namusoft Implementation in process with major banks 3
Award Winning Product Family DualAuth is a Human-Oriented Multi-Factor Mutual Authentication Solution Major Achievements: - Selected as a presentation company for Finovate, Fall 2016 New York and Hong Kong - One of 5 Finalists among 63 applicants in the Innovation in Cyber Security/Anti-Fraud category at Fintech Innovation Awards 2016 in London - Delivered Fintech Authentication Platform Service to KISA (Korean Internet & Security Agency) Fintech Security & Authentication Support Center in 2016. - Received the Republic of Korea Internet Grand Awards in 2014. 4
Limitations of legacy authentication One-way authentication only lets the service verify the User - A user cannot confirm the service is not fraudulent, because he/she does not get any information from the server - A service cannot confirm the user is not fraudulent, even though the user provides valid credentials. (Because it is just one-way authentication) - User account information can be easily hijacked by a hacker through social engineering attack and is highly vulnerable to real-time Man-in-the-Middle (MITM) Attack Password SMS Verification Code OTP Fingerprint Fake Service User Intercepting ID/PW and other credentials Service Enter ID/PW Enter ID/PW Ask credentials Enter credentials Ask credentials Enter credentials User Fake Service/user Service 5 Provide Service
Changing the Concept of Authentication DualAuth Concepts are: - Mobile phone as authentication device - Mutual Authentication (Bi-Directional) between User and Service (UA & SA) - Multi-Factor, Multi-Channel, and User-Verifying Patented and Unique - We created Service Authentication to bring safety and serenity to the User - The Service first presents Service OTP to the user to show the service is valid - The user compares the Service OTP code with mobile-generated OTP code - There is no way of hijacking the Service OTP code because nothing but the metadata is sent thru the mobile network Verification By User Service Authentication by User User Service User Authentication by Service 6
Strong Security DualAuth is stronger than any other S/W based Authentication solution - App protected from forgery, replication, and hacking - Device Authentication (e.g. PIN or F/P) can be added for stronger user authentication. (FIDO) - The Service OTP code is generated separately by using the metadata in the mobile device - The Context for generating the User OTP is delivered securely via App Push - Seed is combination of variables including Private key, Time, Carrier IP, Push ID, and Session ID - Even if metadata is intercepted, the possibility of generating the valid OTP code is almost zero - DualAuth is the only solution for protecting the service from Real-Time MITM Attack - DualAuth can run on the TEE (TrustZone) to provide equivalent security to H/W OTP Hash value/ Fingerprint/PIN Mobile Carrier IP Address Service OTP Metadata Mobile Client DualLogin Private Key x Time x Carrier IP x Push ID x Session ID Encrypted User OTP Session ID Auth Server Private Key x Time Push ID 7
FIDO Integration Any User Authentication module can be used within DualAuth Web Browser (PC) Customer Service Web Server (Service) Push Server * Integrated RP-Client App/Browser +RP-Client Service Authentication using OTP User Authentication using FIDO OTP Server + RP Server * Integrated RP-Server FIDO Client (Mobile) ASM APIs UAF APIs UAF Protocol FIDO UAF Server Mgmt. Console ASM ASM FIDO Infrastructure Authenticato r (Fingerprint) Authenticato r (PIN) FIDO Metadata service Mobile 8
Product - DualLogin Alternative to User Password - User only types in his/her User ID (No passwords at all!) - User compares two OTP codes one from the service and another generated in the mobile - Once user approves the service OTP code, the next steps are done automatically in the background - No memorizing or typing is required - Just one-touch is enough for authentication - For higher security, device authentication such as fingerprint can be added - This easy and simple login can be integrated with SSO (Single Sign On) 9 DualLogin Demo: https://youtu.be/buruayg9dus
Product - DualCheck Alternative to SMS/ARS 2 nd verification - For the 2 nd step of verification, Service presents Service OTP code first - User verifies that the Service and User OTP codes are the same - DualCheck provides higher level of security than SMS/ARS methods - Memorizing or Typing the code is not required for the user - A single touch completes the authentication process - Device Authentication (e.g. PIN) is available and is also integrated with FIDO - Lower cost than SMS/ARS verification 10 DualCheck Demo: https://youtu.be/8hwa9a6mxpq
Product - DualOTP Alternative to H/W OTP (Dongle) - The Service OTP code is first presented to the user - User compares both OTP codes - on the mobile and in the web service - After the Service is verified, the User Authentication process occurs - The transaction-based, data-signed OTP mode prevents memory hacking attack. - Anti-hacking solution prevents use of duplicated phone. - Offline mode (Airplane Mode) can provide same security as a H/W dongle. 11 DualOTP Demo: https://youtu.be/9jx8ckkpj5e
Product Family Comparison and Summary Target Alternative to H/W OTP Alternative to SMS/ARM Verification Alternative to password Use Case Provides strong 2-step verification for login to the service or financial transaction. Can be used for the transaction-based OTP Provides easy login Good for VPN authentication Secure Data-Signed OTP Airplane-mode OTP One-Touch Authentication / Login No need to memorize or type codes. Features Context-based Service Authentication + User Authentication Mutual, Multi-Factor, Multi-Channel, User Verification Higher Security, Easier Use, Lower Cost 12
Let us help you win bids Easy integration with your preferred authentication technology Cloud or Radius Server based installation Flexible partnering or VAR arrangements Customer-specific exclusivity available 15