政大機構典藏-National Chengchi University Institutional Repository(NCCUR):Item 140.119/152414
English  |  正體中文  |  简体中文  |  Post-Print筆數 : 27 |  Items with full text/Total items : 113160/144130 (79%)
Visitors : 50754958      Online Users : 570
RC Version 6.0 © Powered By DSPACE, MIT. Enhanced by NTU Library IR team.
Scope Tips:
  • please add "double quotation mark" for query phrases to get precise results
  • please goto advance search for comprehansive author search
  • Adv. Search
    HomeLoginUploadHelpAboutAdminister Goto mobile version
    政大典藏 > College of Commerce > Department of MIS > Theses >  Item 140.119/152414
    Please use this identifier to cite or link to this item: https://nccur.lib.nccu.edu.tw/handle/140.119/152414


    Title: 應用 FIDO 於支付服務商間交易的嚴格顧客驗證
    Applying FIDO for Strong Customer Authentication in Transactions Between Payment Service Providers
    Authors: 蔡典翰
    Tsai, Tien-Han
    Contributors: 陳恭
    Chen, Kung
    蔡典翰
    Tsai, Tien-Han
    Keywords: 金融 FIDO
    FIDO2
    Webauthn
    支付服務商
    嚴格顧客驗證
    F-FIDO
    FIDO2
    Webauthn
    Payment Service Provider
    Strong Customer Authentication
    Date: 2024
    Issue Date: 2024-08-05 12:07:33 (UTC+8)
    Abstract: 隨著數位化和網路科技的快速發展,支付服務商在推動電子商務和數位經濟的過程中扮演著至關重要的角色。這不僅提升了支付的便利性,同時也帶來了一系列資訊安全上的新挑戰,特別是在支付服務商間進行交易時,如何提升使用者身份驗證的便利性、確保交易的安全性,成為了當前需面臨的問題。目前台灣在處理此類問題的作法,主要依賴傳統的密碼系統與簡訊動態密碼驗證,這些方法雖然普及,但可能存在使用者體驗的不便利性與交易安全性漏洞等潛在問題。台灣金融監督管理委員會近年來積極推動金融領域採用 F-FIDO 標準,旨在透過更現代化的驗證方式,提升使用者體驗與金融交易的安全性。因此,本論文提出一個結合 FIDO 標準與嚴格顧客驗證的方案,應用公私鑰加密技術優化使用者身份驗證流程,並強化支付服務商之間的交易安全性,為支付服務商提供一個新的解決思路。

    在系統實作方面,本研究模擬支付服務商間的轉帳服務,根據 FIDO2 的 Webauthn 標準,建立一個中心化依賴方,提供於中心化依賴方建立第二組公私鑰,作為二次身份驗證的基礎。此外,當使用者欲進行支付服務商間的轉帳服務時,需先通過嚴格顧客驗證,使用者於中心化依賴方的安全執行環境中,運用其在中心化依賴方所註冊的私鑰進行身份驗證,並確認交易細節後,便可執行支付服務商間的轉帳服務。
    The rapid development of digital and internet technologies has made payment service providers essential to e-commerce and the digital economy. While enhancing payment convenience, it also brings new security challenges, especially in user authentication and transaction security. In Taiwan, traditional password systems and SMS OTPs are common but have potential security vulnerabilities. The Financial Supervisory Commission promotes the F-FIDO standard to enhance security and user experience. This paper proposes a solution combining FIDO2 Webauthn and strong customer authentication, using asymmetric encryption to secure inter-provider transactions with a centralized relying party for secondary authentication.

    This study simulates inter-provider transfer services based on the FIDO2 Webauthn standard. It establishes a centralized relying party for secondary authentication with a second set of public-private keys. Users must pass strict customer authentication, using their private key registered with the centralized relying party in a secure environment to authenticate their identity and confirm transaction details before executing transfers.
    Reference: Apple Inc. (2023). Accessing keychain items with face id or touch id: Overview. https://developer.apple.com/documentation/localauthentication/accessing_keychain_ items_with_face_id_or_touch_id
    Apple Inc. (2024). Accessing keychain items with face id or touch id. https://docs-assets. developer.apple.com/published/3c99bf9268/rendered2x-1654018513.png
    Caccavello, G., & Okay Inc. (2022). Open banking: Back to basics: What is strong customer authentication? https://www.openbankingexcellence.org/blog/back -to - basics-what-is-strong-customer-authentication
    FIDO Alliance. (2020a). Fido security reference: Introduction. https://fidoalliance.org/ specs/common-specs/fido-security-ref-v2.1-ps-20220523.html
    FIDO Alliance. (2020b). Fido uaf architectural overview: Authenticator registration. https: //fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-overview-v1.2-ps20201020.html#authenticator-registration
    FIDO Alliance. (2020c). Fido uaf architectural overview: Authentication. https://fidoalliance. org/specs/fido- uaf- v1.2- ps- 20201020/fido- uaf- overview- v1.2- ps- 20201020. html#authentication
    FIDO Alliance. (2020d). Fido uaf architecture. https://fidoalliance.org/specs/fido-uafv1.2-ps-20201020/img/fido-uaf-architecture.png
    FIDO Alliance. (2020e). Fido uaf protocol specification: Registration operation. https: //fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-protocol-v1.2-ps20201020.html#registration-operation
    FIDO Alliance. (2020f). Fido uaf protocol specification: Authentication operation. https: //fidoalliance.org/specs/fido-uaf-v1.2-ps-20201020/fido-uaf-protocol-v1.2-ps20201020.html#authentication-operation
    FIDO Alliance. (2020g). 無密碼體驗 (uaf 標準). https://fidoalliance.org/wp-content/ uploads/FIDO_UAF_Experience.png
    FIDO Alliance. (2021a). Fido security reference architecture. https:// fidoalliance. org/ specs/common-specs/img/fido-security-ref-architecture.png
    FIDO Alliance. (2021b). Fido2 graphic v2. https://fidoalliance.org/wp-content/uploads/ FIDO2-Graphic-v2.png
    Matthew Miller. (2024). Simplewebauthn. https://simplewebauthn.dev/
    MDN Web Docs. (2023). Origin. https://developer.mozilla.org/en-US/docs/Glossary/Origin
    Oracle Corporation. (2024). Mysql 8.4 reference manual: Xa transactions. https://dev. mysql.com/doc/refman/8.4/en/xa.html
    The European Parliament and the Council of the European Union. (2015). Directive of eu: Article 97. authentication. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/ ?uri=CELEX:32015L2366
    W3C. (2023a). Web authentication: An api for accessing public key credentials level 3: Relying party identifier. https://www.w3.org/TR/webauthn- 3/#relying- partyidentifier
    W3C. (2023b). Web authentication: An api for accessing public key credentials level 3: Authenticator attachment modality. https://www.w3.org/TR/webauthn-3/#sctnauthenticator-attachment-modality
    W3C. (2023c). Web authentication: An api for accessing public key credentials level 3: User verification requirement enumeration. https://www.w3.org/TR/webauthn3/#enum-userVerificationRequirement
    一卡通 MONEY. (2023). 電支也能手機門號跨行轉帳囉!ipass money 開通服務綁 定: Ipass money 綁定手機門號轉帳操作方式. https://www.i-pass.com.tw/cht/ News/Detail/103300
    一卡通 MONEY. (2024). 金融驗證的操作步驟及常見問題. https://help2.line.me/ linepay_tw/android/categoryId/50003418/3/pc?lang=zh-Hant&country=TW& contentId=50010723
    兆豐銀行. (2024a). 「金融行動身分識別」(金融 FIDO). https://www.megabank. com.tw/digital-finance/fido/fido
    兆豐銀行. (2024b). 兆豐實體 ATM 註冊流程. https://www.megabank.com.tw/digitalfinance/cloud-page/image-with-title-item/atm-process
    兆豐銀行. (2024c). 兆豐網路 ATM 註冊流程. https://www.megabank.com.tw/digitalfinance/cloud-page/image-with-title-item/process
    兆豐銀行. (2024d). 兆豐身份認證 APP 裝置綁定流程及使用教學. https://www. megabank.com.tw/digital-finance/cloud-page/image-with-title-item/instructions
    金融監督管理委員會. (2021). 「金融行動身分識別聯盟」正式成立,加速提升 數位金融服務的安全與便利. https://www.fsc.gov.tw/ch/home.jsp?id=96& parentpath=0&mcustomize=news_view.jsp&dataserno=202106150002&dtable= News
    金融監督管理委員會. (2022). 金管會-數位身分認證及授權: 主題式監理沙盒及業務 試辦之辦理近況. https://www.fsc.gov.tw/ch/home.jsp?id=96&parentpath=0,2& mcustomize=news_view.jsp&dataserno=202207220001&dtable=News
    金融監督管理委員會. (2023a). 金融科技發展路徑圖 2.0. https://www.fsc.gov.tw/ websitedowndoc?file=chfsc/202308161025340.pdf&filedisplay=%E9%87%91% E8%9E%8D%E7%A7%91%E6%8A%80%E7%99%BC%E5%B1%95%E8% B7%AF%E5%BE%91%E5%9C%96%282.0%29.pdf
    金融監督管理委員會. (2023b). 金融科技發展路徑圖 2.0-具體推動事項列表. https://www.fsc.gov.tw/websitedowndoc?file=chfsc/202308161026170.pdf&filedisplay=2.0%E5%85%B7%E9%AB%94%E6%8E%A8%E5%8B%95%E4% BA%8B%E9%A0%85%E5%88%97%E8%A1%A8%282.0%29.pdf
    Description: 碩士
    國立政治大學
    資訊管理學系
    111356038
    Source URI: http://thesis.lib.nccu.edu.tw/record/#G0111356038
    Data Type: thesis
    Appears in Collections:[Department of MIS] Theses

    Files in This Item:

    File Description SizeFormat
    603801.pdf8728KbAdobe PDF0View/Open


    All items in 政大典藏 are protected by copyright, with all rights reserved.


    社群 sharing

    著作權政策宣告 Copyright Announcement
    1.本網站之數位內容為國立政治大學所收錄之機構典藏,無償提供學術研究與公眾教育等公益性使用,惟仍請適度,合理使用本網站之內容,以尊重著作權人之權益。商業上之利用,則請先取得著作權人之授權。
    The digital content of this website is part of National Chengchi University Institutional Repository. It provides free access to academic research and public education for non-commercial use. Please utilize it in a proper and reasonable manner and respect the rights of copyright owners. For commercial use, please obtain authorization from the copyright owner in advance.

    2.本網站之製作,已盡力防止侵害著作權人之權益,如仍發現本網站之數位內容有侵害著作權人權益情事者,請權利人通知本網站維護人員(nccur@nccu.edu.tw),維護人員將立即採取移除該數位著作等補救措施。
    NCCU Institutional Repository is made to protect the interests of copyright owners. If you believe that any material on the website infringes copyright, please contact our staff(nccur@nccu.edu.tw). We will remove the work from the repository and investigate your claim.
    DSpace Software Copyright © 2002-2004  MIT &  Hewlett-Packard  /   Enhanced by   NTU Library IR team Copyright ©   - Feedback