生物识别认证 - 我们为什么需要它?

In recent years, Identity and Access Management has gained importance within technology industries as attackers continue to target large corporations in order to gain access to private data and services. To address this issue, the Grab Identity team has been using a 6-digit PIN to authenticate a user during a sensitive transaction such as accessing a GrabPay Wallet. We also use SMS one-time passwords (OTPs) to log a user into the application.

近年来,身份和访问管理在技术行业中越来越重要,因为攻击者为了获取私人数据和服务,不断将目标对准大型企业。为了解决这个问题,Grab 身份管理团队在进行敏感交易(如访问 GrabPay 钱包)时,一直使用 6 位数的 PIN 来认证用户。我们还使用短信一次性密码(OTP)将用户登录到应用程序。

We look at existing mechanisms that Grab uses to authenticate its users and how biometric authentication helps strengthen application security and save costs. We also look at the various technical decisions taken to ensure the robustness of this feature as well as some key learnings.

我们研究了 Grab 用来验证用户身份的现有机制,以及生物识别认证如何帮助加强应用安全和节约成本。我们还研究了为确保这一功能的稳健性而采取的各种技术决策以及一些关键的经验。

Introduction

简介

The mechanisms we use to authenticate our users have evolved as the Grab Identity team consistently refines our approach. Over the years, we have observed several things:

随着 Grab Identity 团队不断完善我们的方法,我们用来验证用户的机制也在不断发展。多年来,我们已经观察到了几件事。

  • OTP and Personal Identification Number (PIN) are susceptible to hacking and social engineering.
  • OTP和个人识别码(PIN)容易受到黑客攻击和社会工程的影响。
  • These methods have high user friction (e.g. delay or failure to receive SMS, need to launch Facebook/Google).
  • 这些方法有很高的用户摩擦力(例如,延迟或无法收到短信,需要启动Facebook/Google)。
  • Shared/rented driver accounts cause safety concerns for passengers and increases potential for fraud.
  • 共享/租借司机账户会给乘客带来安全问题,并增加欺诈的可能性。
  • High OTP costs at $0.03/SMS.
  • OTP成本高,为0.03美元/SMS。

Social engineering efforts have gotten more advanced - attackers could pretend to be your friends and ask for your OTP or even post phishing advertisements that prompt for your personal information.

社会工程的努力已经变得更加先进--攻击者可以假装是你的朋友,要求你提供OTP,甚至发布钓鱼广告,提示你的个人信息。

Search data flowSearch data flow

Search data flow

With more sophisticated social engineering attacks on the rise, we need solutions that can continue to prot...

开通本站会员,查看完整译文。

Accueil - Wiki
Copyright © 2011-2024 iteam. Current version is 2.137.1. UTC+08:00, 2024-11-15 10:19
浙ICP备14020137号-1 $Carte des visiteurs$