Slide 1
Slide 1 text
ύεΩʔϢʔβʔೝূΛ
Ͳ͏ม͑Δͷ͔ʁ
ͦͷಛͱಋೖʹ͓͚Δ՝
ҏ౦ ྒ(@ritou) - Developers Summit 2023ʢ2023.02.09-10ʣ
Slide 2
Slide 2 text
ҏ౦ ྒ (@ritou)
• גࣜձࣾ MIXI - ΤϯδχΞ
• OpenID ϑΝϯσʔγϣϯɾδϟύϯ - ΤόϯδΣϦετ
• Digital Identityؔ࿈ͷϒϩάɺࣥචɺษڧձ…
2
Slide 3
Slide 3 text
ൃදͷ༰
• ͜Ε·ͰͷϢʔβʔೝূ
• ύεΩʔͷಛ
• ύεΩʔಋೖͷϙΠϯτ
3
Slide 4
Slide 4 text
͜Ε·ͰͷϢʔβʔೝূ
Slide 5
Slide 5 text
ύεϫʔυೝূ - Memorized Secrets
• ೝূཁૉ : ࣝ
• ϢʔβʔɺαʔϏε͕ύεϫʔυΛڞ༗
• ϢʔβʔهԱ͢Δ
• αʔϏε҆શʹอଘ
• Ϣʔβʔ͔ΒૹΒΕͨϢʔβʔࣝผࢠͱύεϫʔυͷΈ߹ΘͤΛ
αʔϏε͕ݕূ͢Δํ๏͕Ұൠత
5
Slide 6
Slide 6 text
ύεϫʔυೝূͷཁ݅ͱ࣮ঢ়
• Ϣʔβʔͷཁ݅
• ύεϫʔυΛΕͳ͍
• ਪଌՄೳͳύεϫʔυΛආ͚ɺෳͷαʔϏεͰ͍·Θ͞ͳ͍
• ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍
• αʔϏεͷཁ݅
• ύεϫʔυΛ҆શʹཧ͢Δ
• ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
6
←ΕΔ
Slide 7
Slide 7 text
ΞΧϯτϦΧόϦʔ
• ͋ΔೝূํࣜͰ “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮
• ผͷखஈͰਓೝূ / ݩ֬ೝ + ઃఆมߋ
• ผͷೝূํࣜ : SMS͕͑ͳ͍ͷͰόοΫΞοϓίʔυΛར༻
• ొ࣌ͷݩ֬ೝํ๏Λར༻ : PW࠶ઃఆ༻ͷURLΛϝʔϧૹ৴
• CSܦ༝ͷKYC : ఏग़ࡁΈͷূ໌ॻΛར༻
7
Slide 8
Slide 8 text
ύεϫʔυೝূͷཁ݅ͱ࣮ঢ়
• Ϣʔβʔͷཁ݅
• ύεϫʔυΛΕͳ͍
• ਪଌՄೳͳύεϫʔυΛආ͚ɺෳͷαʔϏεͰ͍·Θ͞ͳ͍
• ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍
• αʔϏεͷཁ݅
• ύεϫʔυΛ҆શʹཧ͢Δ
• ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
8
ਪଌՄೳͳύεϫʔυΛ
ෳαʔϏεͰ͍ճ͢
෮߸Մೳͳঢ়ଶͰ
อଘ͍͕ͯͨ͠࿙Ӯ
Slide 9
Slide 9 text
ύεϫʔυϦετ/ύεϫʔυεϓϨʔ ߈ܸ
• ύεϫʔυϦετ߈ܸ : ଞαʔϏε͔Β࿙ӮɺϑΟογϯάͰऔಘ͞
Εͨ”(ϝʔϧΞυϨεͳͲؚΉ)ϢʔβʔࣝผࢠͱύεϫʔυͷΈ߹
Θͤ”Λར༻ͯ͠ϩάΠϯࢼߦ
• ύεϫʔυεϓϨʔ߈ܸ : “ϢʔβʔࣝผࢠͷϦετͱΑ͘ΘΕ͍ͯ
Δύεϫʔυ”ͷΈ߹ΘͤͰϩάΠϯࢼߦ
• ύεϫʔυҎ֎ͷೝূํࣜͱͷΈ߹ΘͤʹΑΔରࡦ͕ඞཁ
9
Slide 10
Slide 10 text
TOTP - Single-Factor OTP Device
• ೝূཁૉ : ॴ༗
• Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ɺ
• ϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰੜͨ͠OTP(RFC6238)Λར༻
• ۚ༥ػؔͳͲͰϋʔυΣΞτʔΫϯ͕ར༻͞Ε͍͕ͯͨɺ2010
ʹGoogle͕Google Authenticatorͱͱʹ2ஈ֊ೝূΛఏڙͯ͠
͔Βීٴ
10
Slide 11
Slide 11 text
SMS OTP - Out-of-Band Devices
• ೝূཁૉ : ॴ༗
• SMSܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻
• αʔϏεొࡁΈͷి൪߸ʹOTPΛૹ৴
• Ϣʔβʔड৴ͨ͠OTPΛαʔϏεʹૹ৴
• Ϣʔβʔͷେྔొରࡦͱͯ͠ΘΕ͖ͯͨɻαʔϏεଆͷૹ৴ί
ετɺԆಧ͔ͳ͍ϦεΫͱ͍͏ϦεΫແࢹͰ͖ͳ͍ɻ
11
Slide 12
Slide 12 text
Email OTP - Out-of-Band Devices
• ೝূཁૉ : ॴ༗ (?)
• Emailܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻
• αʔϏεొࡁΈͷϝʔϧΞυϨεʹOTPΛૹ৴
• Ϣʔβʔड৴ͨ͠OTPΛαʔϏεʹૹ৴
12
Slide 13
Slide 13 text
ೝূ༻ΞϓϦ - Out-of-Band Devices
• ೝূཁૉ : ॴ༗
• ೝূ༻ͷϞόΠϧΞϓϦͷϓογϡ௨Λར༻
• αʔϏεϢʔβʔʹඥ͚ͮΒΕͨ/ΞϓϦʹϓογϡ௨
• Ϣʔβʔ/ΞϓϦͰϩάΠϯ͢Δ͜ͱΛڐՄ
• MFAർ࿑߈ܸ(MFA fatigue attacks) ͕ʹ
13
Slide 14
Slide 14 text
όοΫΞοϓίʔυ - Look-Up Secrets
• ೝূཁૉ : ॴ༗
• ͋Β͔͡ΊϢʔβʔʹͨ͠୯Ұ͘͠ෳͷจࣈྻΛར༻
• SMS͕ड৴Ͱ͖ͳ͍
• ೝূ༻ΞϓϦ͕ར༻Ͱ͖ͳ͍
• 2ཁૉ/2ஈ֊ೝূΛઃఆ͢Δࡍʹ߹Θͤͯઃఆͤ͞Δͷ͕Ұൠత
14
Slide 15
Slide 15 text
ύεϫʔυೝূͷཁ݅ͱ࣮ঢ়
• Ϣʔβʔͷཁ݅
• ύεϫʔυΛΕͳ͍
• ਪଌՄೳͳύεϫʔυΛආ͚ɺෳͷαʔϏεͰ͍·Θ͞ͳ͍
• ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍
• αʔϏεͷཁ݅
• ύεϫʔυΛ҆શʹཧ͢Δ
• ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ
15
←ϑΟογϯάαΠτʹ
ೖྗͯ͠͠·͏
Slide 16
Slide 16 text
ϑΟογϯά߈ܸ
• IPA ใηΩϡϦςΟ10େڴҖ2023 ݸਓ͚1Ґ(2࿈த)
• 2ஈ֊ೝূɺ2ཁૉೝূΛར༻ͯ͠ඃʹૺ͏Մೳੑ͕͋Δ
• Adversary-in-the-MiddleʢAiTMʣ
16
ग़య : ใηΩϡϦςΟ10େڴҖ 2023ɿIPA ಠཱߦ๏ਓ ใॲཧਪਐػߏ
https://www.ipa.go.jp/security/vuln/10threats2023.html
Slide 17
Slide 17 text
Adversary-in-the-
MiddleʢAiTMʣ
• ϑΟογϯάαΠτ͕தؒऀͱͳ
Γਖ਼نͷαʔϏεʹϩάΠϯࢼߦ
• ύεϫʔυ + SMS/Email OTP
• ύεϫʔυ + ೝূΞϓϦ
• ޭ͢ΔͱϩάΠϯηογϣϯࣗ
ମ(Cookie/Token)ΛऔಘՄೳ
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹ
further
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-
cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
Slide 18
Slide 18 text
Adversary-in-the-MiddleʢAiTMʣͷΈ
18
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
example.com
example.net
Slide 19
Slide 19 text
Adversary-in-the-MiddleʢAiTMʣͷΈ
19
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
ύεϫʔυΛਖ਼ن
αʔϏεʹૹΔ
example.com
example.net
Slide 20
Slide 20 text
Adversary-in-the-MiddleʢAiTMʣͷΈ
20
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
ύεϫʔυΛਖ਼ن
αʔϏεʹૹΔ
50514.4051
ೖྗը໘Λදࣔ
example.com
example.net
Slide 21
Slide 21 text
Adversary-in-the-MiddleʢAiTMʣͷΈ
21
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
ύεϫʔυΛਖ਼ن
αʔϏεʹૹΔ
50514.4051
ೖྗը໘Λදࣔ
50514.4051Λ
ਖ਼نαʔϏεʹૹΔ
example.com
example.net
Slide 22
Slide 22 text
Adversary-in-the-MiddleʢAiTMʣͷΈ
22
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
ύεϫʔυΛਖ਼ن
αʔϏεʹૹΔ
50514.4051
ೖྗը໘Λදࣔ
50514.4051Λ
ਖ਼نαʔϏεʹૹΔ
ϩάΠϯηογϣϯΛ
औಘՄೳ
example.com
example.net
Slide 23
Slide 23 text
Ϣʔβʔ/αʔϏε͕ͱΕΔϑΟογϯάରࡦ
• Ϣʔβʔ͕ύεϫʔυϚωʔδϟʔͷར༻ : ύεϫʔυTOTPઃఆΛ
ΦϦδϯ(υϝΠϯ)ͱඥ͚ͯཧ͠ɺҰக͍ͯ͠Δͷ͕ϑΥʔϜ
ೖྗ࣌ʹબՄೳ
• αʔϏε͕WebOTPͷ࠾༻ : ૹ৴ͨ͠SMSϝοηʔδʹؚ·ΕΔΦϦ
δϯ(υϝΠϯ)ͱOTPͷೖྗΛଅ͍ͯ͠ΔURL͕Ұக͍ͯ͠Εड৴
ͨ͠SMSʹؚ·ΕΔOTPͷ͕ϑΥʔϜʹࣗಈೖྗ
23
Slide 24
Slide 24 text
ύεϫʔυϚωʔδϟʔʹΑΔରࡦ
24
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
ਖ਼نαʔϏεͷύεϫʔυ͕
ϑΟογϯάαʔϏεʹఏҊ͞Εͳ͍
example.com
example.net
Slide 25
Slide 25 text
WebOTPʹΑΔରࡦ
25
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
ύεϫʔυΛਖ਼ن
αʔϏεʹૹΔ
50514.4051
ೖྗը໘Λදࣔ
ϑΟογϯάαʔϏεʹ051ࣗಈೖྗ͕ߦΘΕͳ͍
example.com
example.net
Slide 26
Slide 26 text
• ೝূཁૉ : ॴ༗
• ϋʔυΣΞσόΠεʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ
ূΛར༻
• ηΩϡϦςΟΩʔΛࢦ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩͰར༻Մೳ
• ύεϫʔυೝূͱΈ߹Θͤͨ2ஈ֊ೝূͰͷར༻͕·ͬͨ
26
FIDO w/ User Presence
- Single-Factor Cryptographic Device/Software
Slide 27
Slide 27 text
FIDO w/ User Veri
fi
cation
- Multi-Factor Cryptographic Software/Device
• ೝূཁૉ : ॴ༗ + ࣝ/ੜମ
• ϋʔυΣΞσόΠεʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ
ূ ͱ ϩοΫղআͳͲͰΘΕΔϩʔΧϧೝূ ͷΈ߹Θͤ
• ηΩϡϦςΟΩʔ + PIN
• εϚʔτϑΥϯ / PC + ը໘ϩοΫղআ
27
Slide 28
Slide 28 text
FIDOͷϑΟογϯάੑ
• WebAuthn : WebΞϓϦέʔγϣϯͰFIDOΛར༻͢ΔͨΊͷϒϥ
βAPI
• ར༻αʔϏεࣗͷΦϦδϯ(υϝΠϯ)Λࢦఆ
• ϒϥβͦͷΛݕূͯ͠ෆҰகͷ߹ೝূෆՄೳ
• ϑΟογϯάαΠτͱਖ਼نαʔϏε͕γεςϜతʹ۠ผ͞ΕΔ
28
Slide 29
Slide 29 text
FIDOͷϑΟογϯάੑ
29
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
ύεϫʔυΛਖ਼ن
αʔϏεʹૹΔ
'*%0ʹΑΔ
ՃೝূΛཁٻ
example.net example.com
Slide 30
Slide 30 text
FIDOͷϑΟογϯάੑ
30
ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹfurther
fi
nancial fraud - Microsoft Security Blog
https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-
fi
nancial-fraud/
ύεϫʔυΛਖ਼ن
αʔϏεʹૹΔ
'*%0ʹΑΔ
ՃೝূΛཁٻ
example.net
ϑΟογϯάαΠτʹਖ਼نαʔϏεͷೝূใૹΒΕͳ͍
example.com
Slide 31
Slide 31 text
FIDOͷ՝
• 伴ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ
• Authenticator(ηΩϡϦςΟΩʔɺରԠ)͕յΕͨɺແͨ͘͠ɺ
ങ͍ସ͑ͨ߹ʹอଘ͞Ε͍ͯΔ҉߸伴͕ར༻Ͱ͖ͳ͘ͳΓɺશͯ
ͷαʔϏεͰ࠶ొ͕ඞཁ
• όοΫΞοϓ
• ೝূڧΛམͱͣ͞ɺϑΟογϯάੑΛอͭʹෳͷ
Authenticatorͷొ͕ඞཁ
31
Slide 32
Slide 32 text
ύεΩʔͷಛ
Slide 33
Slide 33 text
ύεΩʔ : FIDO multi-device credentials
• 伴ཧΛσόΠε͔ΒϢʔβʔʹ
• ϓϥοτϑΥʔϜϢʔβʔͱඥ͚ : Apple, Google, MS Account
• ύεϫʔυϚωʔδϟʔ : 1Password(༧ఆ)
• ͜Ε·ͰͷFIDOʹ͋ͬͨ伴ཧͷݎ࿚ੑࣦΘΕΔ͕ɺόοΫΞο
ϓΛՄೳʹ͢Δ͜ͱͰ “ϑΟογϯάੑΛ࣋ͪརศੑͷߴ͍ೝূํ
ࣜ” ͱͯ͠ීٴΛૂ͏
33
Slide 34
Slide 34 text
ύεΩʔͷڍಈ : https://webauthn.io
34
• ύεΩʔͷొ(ੜ) : ֬ೝը໘ -> ϩʔΧϧೝূ(ੜମ/PIN)
ϩʔΧϧೝূ
ੜମ
1*/
ύλʔϯ
Slide 35
Slide 35 text
ύεΩʔͷڍಈ : https://webauthn.io
35
• ύεΩʔͰϩάΠϯ : ύεΩʔબը໘ -> ϩʔΧϧೝূ(ੜମ/PIN)
ϩʔΧϧೝূ
ੜମ
1*/
ύλʔϯ
ผ͔Β
ಉ༷ʹར༻Մೳ
Slide 36
Slide 36 text
ରԠڥ
• “ύεΩʔରԠڥ” ≠ “FIDO multi-device credentials” ʹҙ͕ඞཁ
• ϓϥοτϑΥʔϜɺɺϒϥβͷΈ߹ΘͤͰڍಈ͕ܾ·Δ
• ύεΩʔ͕ಉظ͞ΕΔͷ : Safari on MacOS/iOS/iPadOS,
Android + Chrome/Firefox
• ύεΩʔ͕ಉظ͞Εͳ͍ͷ : Chrome on MacOS…
36
Slide 37
Slide 37 text
“hybrid” transport
• “ผͷύεΩʔΛར༻ͯ͠ϩάΠϯ” ͕ՄೳʹͳΔΈ
• QRίʔυ + BLE Ͱଓͨ͠ͷύεΩʔΛར༻Մೳ
37
Slide 38
Slide 38 text
Conditional UI / Auto
fi
ll
• Ϣʔβʔ໊/ϝʔϧΞυϨεೖྗϑΥʔϜʹར༻ՄೳͳύεΩʔ͕දࣔ
͞Εɺબ͢ΔͱύεΩʔͷೝূ͕࢝·Δ
• طଘͷೝূํࣜͷUI͔Βͷ ”γϣʔτΧοτ” ͕Մೳ
38
Slide 39
Slide 39 text
ύεΩʔಋೖͷϙΠϯτ
Slide 40
Slide 40 text
ύεΩʔಋೖʹΑΓ࣮ݱ͍ͨ͜͠ͱ
• શମ/ಛఆϢʔβʔͷ҆શੑ্ʁ
• ඞཁͳೝূڧɺରԠڥΛࡉ͔͘ҙࣝ͢Δඞཁ͋Γ
• ҙͰͷϑΟογϯάੑͱརศੑ্ʁ
• γϯϓϧʹೝূํࣜΛ”૿͢”ײ֮
40
Slide 41
Slide 41 text
ID࿈ܞͱͷؔ
• ID࿈ܞΛఏڙ/ར༻͢ΔଆͦΕͧΕʹύεΩʔରԠͷϝϦοτ͕͋Δ
• Identity Provider(IdP) : ύεΩʔʹରԠ͢Δ͜ͱͰ࿈ܞ͢ΔRPͦ
ͷԸܙΛड͚ΒΕΔ
• Relying Party(RP) : IdPʹґଘ͠ͳ͍҆શੑͱརศੑͷߴ͍ೝূํࣜ
Λར༻Մೳ
41
Slide 42
Slide 42 text
ಋೖύλʔϯ
• ϝΠϯͷೝূํࣜͱͯ͠ಋೖɺಛఆػೳΛར༻͢ΔࡍʹඞਢԽ
• Φϓγϣφϧͳೝূํࣜͱͯ͠ಋೖ
• ಋೖ͠ͳ͍͕ɺಋೖ͍ͯ͠ΔIdPͱID࿈ܞ
• OpenID ConnectͰIdPͰ࣮ࢪͨ͠ೝূํࣜͷछྨɺಛΛୡ
͢Δύϥϝʔλ͕͋Δ
42
Slide 43
Slide 43 text
ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ύεΩʔͷొ
• ͍ͭొΛٻΊΔ͔
• Ϣʔβʔͷ৽نొͷࡍʹཁٻʁಛఆػೳΛ͏࣌ʁҙʁ
• ొ࣌ͷೝূڧ
• ॳճݱঢ়औΓ͏ΔೝূํࣜΛཁٻ͔ͯ͠Βʁ
• 2ͭҎ߱طʹొࡁΈͷύεΩʔͰͷೝূΛٻΊΔʁ
• ೝূڧʹറΓ͕ͳ͍ͳΒͦͷ··ʁ
43
Slide 44
Slide 44 text
ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ϩάΠϯ
• ύεΩʔ͕ಉظ͞Ε͍ͯͳ͍ڥ
• ผͰͷύεΩʔΛར༻ʁ : “hybrid transport”
• ೝূڧΛམͱͤͳ͍ͷͰͦͷڥͰར༻ෆՄೳʁ
• ҙͷಋೖͳͷͰผͷೝূํࣜΛར༻ʁ
44
Slide 45
Slide 45 text
ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ࠶ೝূ
• ༗ޮظݶΕɺॏཁͳॲཧͷલʹ࠶ೝূΛඞཁͱ͢Δ͔
• ࠷ऴϩάΠϯ͔ΒҰఆظؒܦͬͨΒύεΩʔʹΑΔ࠶ೝূΛཁٻʁ
• ॏཁͳॲཧͷલʹຖճɺύεΩʔʹΑΔ࠶ೝূΛཁٻʁ
• ύεΩʔͰ࠶ೝূͨ͠ΒҰఆظؒ࠶ೝূ͕লུʁ
• ࠶ೝূ͕ඞཁͱͳΔΑ͏ͳॲཧଘࡏ͠ͳ͍͠ɺ༗ޮظݶΕͷ
߹ϩάΞτঢ়ଶͱͯ͠ѻ͏ʁ
45
Slide 46
Slide 46 text
ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ϦΧόϦʔ
• ύεΩʔ͕͑ͳ͍ঢ়گʹ͓͍ͯɺϢʔβʔʹԿΛཁٻ͠ɺԿΛ෮چ
͢Δ͔
• ͍߹Θ͔ͤΒͷKYCͳͲͰϢʔβʔΛ֬ೝ͠ɺ࠶ύεΩʔΛొ
ͤ͞Δʁ
• ผͷೝূํࣜΛ͍ɺύεΩʔΛ࠶ొʁ
46
Slide 47
Slide 47 text
·ͱΊ
Slide 48
Slide 48 text
·ͱΊ
• ݱঢ়ΘΕ͍ͯΔϢʔβʔೝূํࣜͰϑΟογϯάੑ͕՝
• ύεΩʔFIDO(WebAuthn)ͷϑΟογϯάੑɺϩʔΧϧೝূͷར
ศੑΛอͪͭͭɺϦΧόϦʔͷ՝Λվળͨ͠Έ
• ύεΩʔͷಋೖύλʔϯɺಋೖʹ͋ͨΓߟྀ͖͢ϙΠϯτ͕͋Δ
48
Slide 49
Slide 49 text
ҙݟɺײɺ࣭
͓͓ͪͯ͠Γ·͢ɻ