In general, a user authentication scheme based on an ID/password is most commonly used but vulnerable to attacker's hacking, having a problem of security. As a solution to security vulnerability, recently a one time password (OTP) technique has been widely used.
The OTP technique strengthens security through an OTP that may replace an existing fixed password. The OTP scheme is mainly used as a secondary user authentication unit in addition to the existing ID/password scheme. For example, the OTP scheme tends to be settled as a means for strengthening security in online/mobile banking for financial transaction or online games requiring payment.
In the OTP scheme, a new password is generated each time a user is to be authenticated, and once a password is used, the used password cannot be used again. Also, a uni-directional hash function is used as an algorithm for generating an OTP, making it impossible to infer a password, providing powerful security. That is, according to the OTP scheme, a user is authenticated by determining whether OTP values respectively generated by the user and an authentication server are identical, a used OTP is not reused, and it is impossible to infer a password, thus ensuring safe user authentication.
Such an OTP generation function is implemented through various schemes such as a time synchronization scheme, an event scheme, and a question and answer scheme. These schemes are classified according to how an OTP generating device and an authentication server periodically obtain the same input value and generate the same OTP on both sides. These days, the time synchronization scheme in which an OTP is automatically generated at every predetermined time or methods based on the time synchronization scheme are commonly used.
In order to use the OTP scheme, a separate OTP authentication server may be established on an authentication server side or an OTP authentication module may be added to an existing authentication server. Also, a user requires a device for generating an OTP. OTP generating devices on the user side may be divided into two types.
A first type is an OTP generating device which may be a hardware-based OTP token or OTP card which has been widely used in an existing banking area (which has also been initially used in some game companies). A user may carry such an OTP generating device, and when the user wants to use the OTP generating device for a banking transaction, or the like, the user may input an OTP generated by and displayed on the OTP generating device to another device (e.g., a personal computer (PC) or a mobile terminal) for executing the banking transaction, as is.
A second type is a mobile OTP generating device in which an OTP is implemented by software in a mobile terminal such as a smartphone which is widely used, or the like. The use of the mobile OTP generating device tends to be expanded largely in games or Internet portal sites. The mobile OTP scheme using the mobile OTP generating device is advantageous in that, without having to carry a separate OTP device, a user may generate a mobile OTP in a mobile terminal that he or she carries, output a value (mobile OTP) on a screen of the mobile terminal, and use the output value as a value to be input when the user wants to access a PC-based portal site or a game.
However, it is impossible to use the mobile OTP scheme using a mobile terminal for the purpose of banking transactions domestically due to a problem of security. The reason is because the current mobile OTP scheme fundamentally has the following security problems.
First, there is a possibility in which important information related to generation of a mobile OTP is hacked by an external attack. The mobile OTP generating device exists as an application program (application or App) implemented by software in a mobile terminal. Here, if malicious codes aimed at obtaining user data without authorization are installed in the mobile terminal due to security vulnerability thereof, there is a possibility in which important data such as a seed required for generating a mobile OTP and user-specific information is leaked.
Also, there is a possibility of hacking based on forgery and falsification of an application for generating a mobile OTP. Currently, an application installed in mobile terminals constantly involves a possibility of hacking based on forgery and falsification. Without knowledge of the fact that an application for generating a mobile OTP has been forged or falsified, or disregarding the fact, if a user drives the application to generate a mobile OTP, important information of the user may be transmitted to an external attacker, namely, hacked.