1) LINE is replacing existing biometric authentication with FIDO2 authentication in their mobile payment app LINE Pay to enhance security following payment fraud incidents. 2) They plan to expand FIDO integration to more LINE platforms and countries starting with the iOS version of LINE Pay in Japan. 3) LINE has developed their own FIDO authenticator called LINE iOS FIDO2 Combo which leverages the iPhone's Touch ID/Face ID and provides attestation through a trusted security module and whitebox abstraction layer.

1. A First Step to a World without Passwords
Ki-Eun Shin
Presented at FIDO Authentication Seminar – Seoul (2019)

3. 4 major regions

4. 4
1. Why FIDO matters to us?

6. Image source: Jose Luis Pelaez/Getty Images

7. Business Expansion to Fintech Era

8. 8
2. LINE Pay Integration

9. Register credit cards or charge money for payment (wallet-less) or money transfer
Compliance with PCI DSS and ISO/IEC27001
Payments are completed with passcode or biometrics
1.
2.
3.

10. • To enhance security, we have decided to replace existing biometric authentications
with FIDO2 authentication
• Recently, there were security breaches in JP (Mobile payment fraud)
• First release target: LINE Pay Standalone iOS App for JP
• Plan to expand FIDO integration to more platforms (Pay Android Standalone App,
Pay in LINE app or Web) and other countries
Motivations
LINE Pay Standalone App
(Old version)
LINE Pay Standalone App
(After v1.4.0)
Re-registration
(migration)

11. High-Level Architecture
LINE Pay iOS App
(TALARIA)
LINE Pay RP Server
(for JP)
LINE Pay Central Server
LINE FIDO2 Server
(for JP Pay)
Passcode authentication
(or old biometric authentication)
FIDOOperations FIDOOperations
LINE iOS FIDO2Combo
Authentication management
LINE FIDO2 Server
(forTW Pay)
LINE Pay RP Server
(forTW)
FIDOOperations
Future works

12. Registration Flows
Migration (App update) New users
• Passcode (6 digit numbers) is a primary authentication method

13. Authentication Flows
• Explicit authentication flows vary depending on the context
User scans the QR code for payments and confirms the transaction

14. FIDO Operations Options (LINE Pay)
• Use cases and requirements
• Step-up authentication (or Transaction confirmation): passcode-less
• Biometric authentication (as of now)
• Strong assurance for authenticators
• Authenticator attachment: platform
• User verification requirement: required
Authenticator Selection Criteria
• direct
Attestation Conveyance Preference
• required
User Verification Requirement
• Non-empty (at least one entry)
Allow Credentials
Registration (Create) options Authentication (Get) options

15. • Authentication or related policies
• Supported platforms
• Support Native app only? both for iOS and Android?
• Target web use cases as well?
• Use cases for leveraging security keys
• Just support for platform attached authenticators?
• Strong assurance for authenticators
• Choice for FIDO protocols
• Support all FIDO specifications?
• Or FIDO2 (WebAuthn) or UAF only?
Integration Considerations (Check points)

16. 16
3. LINE FIDO Platform

17. LINE iOS FIDO2 Combo
RP App (View)
LINE iOS FIDO2Combo
(FIDO2 Client,Authenticator Logics)
LTSM
(LINETrusted Security Module)
WAL
(WhiteBox Abstraction Layer)
KAL
(KeyChain Abstraction Layer)
• Leverages Touch ID or Face ID
• Provides Whitebox based attestation (packed attestation format)

18. Security of LINE iOS Authenticator (FIDO2 Combo)
• Private key is stored on the client side
• The private key is stored in Secure Enclave
• The private key is bound to the user verification methods (Touch ID or Face ID)
• Provide basic attestation
• The attestation private key is shipped in the LTSM (based on WBC)
• The attestation certificate is chained to the LINE attestation root certificate
• Less-secure than hardware-backed attestation (better than self or none)

19. FIDO Universal Server
• We have been preparing for FIDO Universal Server to cover more devices and uses
cases

20. FIDO Servers Delivery Types
• On-premise
• We have a plan to deliver our servers by delivering the codes (or binary) to RPs
• LINE Banks and LINE family financial related services (regulation issue)
• We are going to keep maintaining the software and deliver them
• AaaS (Authentication-as-a-Service)
• We host the authentication server (FIDO servers) for RPs instead
• LINE messaging app related services will use this type of approach
• FIDO server can manage different RPs with dedicated RP ID
• We also have admin console for managing RP and authenticators’ metadata

21. 21
4. What’s next?

22. Possible Use Cases
LINE
Desktop app
3rd Mobile apps 3rd Party IoTs
Mobile app
LINE Pay
Clova
LINE Family apps
AI speaker
Connected car
LINE Music
(3) Social Login (2SV)
AuthN provider
(1) Login
(4)Transaction Confirm
(5) Access Control
LINE Login
(2) Single sign on (2SV)
(5) Access Control
3rd Web apps
Web app
LINE
Messenger app
LINE Family webs
LINE Store
(2) Single sign on (2SV)
(3) Social Login (2SV)
LINE Securities
(2) Single sign on (2SV)
LINE Financial services

23. Our Timeline
~4Q, 2019
LINE Login Integration
4Q, 2018
FIDO universal server certification
2020
LINE Banks and Financial services Integration3Q, 2019
LINE Pay integration
2021
LINE all services integration
~4Q, 2019
LINE Pay
(more county)

24. • Contribute FIDO and W3C WebAuthn Standards
• Share our experiences and Know-Hows
• Develop more use cases and accelerate FIDO adoptions
• Collaborate with
• Platform/browser vendors
• Authenticator vendors
• Identity providers
Our Plan