パスキーはユーザー認証を どう変えるのか？その特徴と導入における課題 @ devsumi 2023 9-C-1

Transcript

1. ύεΩʔ͸ϢʔβʔೝূΛ Ͳ͏ม͑Δͷ͔ʁ ͦͷಛ௃ͱಋೖʹ͓͚Δ՝୊ ҏ౦ ྒ(@ritou) - Developers Summit 2023ʢ2023.02.09-10ʣ

2. ҏ౦ ྒ (@ritou) • גࣜձࣾ MIXI - ΤϯδχΞ • OpenID

   ϑΝ΢ϯσʔγϣϯɾδϟύϯ - ΤόϯδΣϦετ • Digital Identityؔ࿈ͷϒϩάɺࣥචɺษڧձ… 2

3. ൃදͷ಺༰ • ͜Ε·ͰͷϢʔβʔೝূ • ύεΩʔͷಛ௃ • ύεΩʔಋೖͷϙΠϯτ 3

4. ͜Ε·ͰͷϢʔβʔೝূ

5. ύεϫʔυೝূ - Memorized Secrets • ೝূཁૉ : ஌ࣝ • ϢʔβʔɺαʔϏε͕ύεϫʔυΛڞ༗

   • Ϣʔβʔ͸هԱ͢Δ • αʔϏε͸҆શʹอଘ • Ϣʔβʔ͔ΒૹΒΕͨϢʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ΘͤΛ αʔϏε͕ݕূ͢Δํ๏͕Ұൠత 5

6. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ় • Ϣʔβʔͷཁ݅ • ύεϫʔυΛ๨Εͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍ • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ •

   αʔϏεͷཁ݅ • ύεϫʔυΛ҆શʹ؅ཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ 6 ←๨ΕΔ

7. ΞΧ΢ϯτϦΧόϦʔ • ͋ΔೝূํࣜͰ “ϩάΠϯͰ͖ͳ͍” ঢ়ଶ͔Βͷճ෮ • ผͷखஈͰ౰ਓೝূ / ਎ݩ֬ೝ +

   ઃఆมߋ • ผͷೝূํࣜ : SMS͕࢖͑ͳ͍ͷͰόοΫΞοϓίʔυΛར༻ • ొ࿥࣌ͷ਎ݩ֬ೝํ๏Λར༻ : PW࠶ઃఆ༻ͷURLΛϝʔϧૹ৴ • CSܦ༝ͷKYC : ఏग़ࡁΈͷ਎෼ূ໌ॻΛར༻ 7

8. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ় • Ϣʔβʔͷཁ݅ • ύεϫʔυΛ๨Εͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍ • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ •

   αʔϏεͷཁ݅ • ύεϫʔυΛ҆શʹ؅ཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ 8 ਪଌՄೳͳύεϫʔυΛ ෳ਺αʔϏεͰ࢖͍ճ͢ ෮߸Մೳͳঢ়ଶͰ อଘ͍ͯͨ͠஋͕࿙Ӯ

9. ύεϫʔυϦετ/ύεϫʔυεϓϨʔ ߈ܸ • ύεϫʔυϦετ߈ܸ : ଞαʔϏε͔Β࿙ӮɺϑΟογϯάͰऔಘ͞ Εͨ”(ϝʔϧΞυϨεͳͲؚΉ)Ϣʔβʔࣝผࢠͱύεϫʔυͷ૊Έ߹ Θͤ”Λར༻ͯ͠ϩάΠϯࢼߦ • ύεϫʔυεϓϨʔ߈ܸ

   : “ϢʔβʔࣝผࢠͷϦετͱΑ͘࢖ΘΕ͍ͯ Δύεϫʔυ”ͷ૊Έ߹ΘͤͰϩάΠϯࢼߦ • ύεϫʔυҎ֎ͷೝূํࣜͱͷ૊Έ߹ΘͤʹΑΔରࡦ͕ඞཁ 9

10. TOTP - Single-Factor OTP Device • ೝূཁૉ : ॴ༗ •

    Ϣʔβʔ/αʔϏεͰൿີ伴Λڞ༗ɺ • ϞόΠϧΞϓϦͳͲ͕࣌ࠁϕʔεͰੜ੒ͨ͠OTP(RFC6238)Λར༻ • ۚ༥ػؔͳͲͰ͸ϋʔυ΢ΣΞτʔΫϯ͕ར༻͞Ε͍͕ͯͨɺ2010 ೥୅ʹGoogle͕Google Authenticatorͱͱ΋ʹ2ஈ֊ೝূΛఏڙͯ͠ ͔Βීٴ 10

11. SMS OTP - Out-of-Band Devices • ೝূཁૉ : ॴ༗ •

    SMSܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻ • αʔϏε͸ొ࿥ࡁΈͷి࿩൪߸ʹOTPΛૹ৴ • Ϣʔβʔ͸ड৴ͨ͠OTPΛαʔϏεʹૹ৴ • Ϣʔβʔͷେྔొ࿥ରࡦͱͯ͠΋࢖ΘΕ͖ͯͨɻαʔϏεଆͷૹ৴ί ετɺ஗Ԇ΍ಧ͔ͳ͍ϦεΫͱ͍͏ϦεΫ΋ແࢹͰ͖ͳ͍ɻ 11

12. Email OTP - Out-of-Band Devices • ೝূཁૉ : ॴ༗ (?)

    • Emailܦ༝ͰૹΒΕͨϫϯλΠϜύεϫʔυ(OTP)Λར༻ • αʔϏε͸ొ࿥ࡁΈͷϝʔϧΞυϨεʹOTPΛૹ৴ • Ϣʔβʔ͸ड৴ͨ͠OTPΛαʔϏεʹૹ৴ 12

13. ೝূ༻ΞϓϦ - Out-of-Band Devices • ೝূཁૉ : ॴ༗ • ೝূ༻ͷ୺຤΍ϞόΠϧΞϓϦ΁ͷϓογϡ௨஌Λར༻

    • αʔϏε͸Ϣʔβʔʹඥ͚ͮΒΕͨ୺຤/ΞϓϦʹϓογϡ௨஌ • Ϣʔβʔ͸୺຤/ΞϓϦͰϩάΠϯ͢Δ͜ͱΛڐՄ • MFAർ࿑߈ܸ(MFA fatigue attacks) ͕࿩୊ʹ 13

14. όοΫΞοϓίʔυ - Look-Up Secrets • ೝূཁૉ : ॴ༗ • ͋Β͔͡ΊϢʔβʔʹ഑෍ͨ͠୯Ұ΋͘͠͸ෳ਺ͷจࣈྻΛར༻

    • SMS͕ड৴Ͱ͖ͳ͍ • ೝূ༻ΞϓϦ͕ར༻Ͱ͖ͳ͍ • 2ཁૉ/2ஈ֊ೝূΛઃఆ͢Δࡍʹ߹Θͤͯઃఆͤ͞Δͷ͕Ұൠత 14

15. ύεϫʔυೝূͷཁ݅ͱ࣮ঢ় • Ϣʔβʔͷཁ݅ • ύεϫʔυΛ๨Εͳ͍ • ਪଌՄೳͳύεϫʔυΛආ͚ɺෳ਺ͷαʔϏεͰ࢖͍·Θ͞ͳ͍ • ύεϫʔυΛୈ̏ऀʹڭ͑ͳ͍ •

    αʔϏεͷཁ݅ • ύεϫʔυΛ҆શʹ؅ཧ͢Δ • ֤छ߈ܸ͔ΒϢʔβʔΛอޢ͢Δ 15 ←ϑΟογϯάαΠτʹ ೖྗͯ͠͠·͏

16. ϑΟογϯά߈ܸ • IPA ৘ใηΩϡϦςΟ10େڴҖ2023 ݸਓ޲͚1Ґ(2࿈೼த) • 2ஈ֊ೝূɺ2ཁૉೝূΛར༻ͯ͠΋ඃ֐ʹૺ͏Մೳੑ͕͋Δ • Adversary-in-the-MiddleʢAiTMʣ 16

    ग़య : ৘ใηΩϡϦςΟ10େڴҖ 2023ɿIPA ಠཱߦ੓๏ਓ ৘ใॲཧਪਐػߏ https://www.ipa.go.jp/security/vuln/10threats2023.html

17. Adversary-in-the- MiddleʢAiTMʣ • ϑΟογϯάαΠτ͕தؒऀͱͳ Γਖ਼نͷαʔϏεʹϩάΠϯࢼߦ • ύεϫʔυ + SMS/Email OTP

    • ύεϫʔυ + ೝূΞϓϦ • ੒ޭ͢ΔͱϩάΠϯηογϣϯࣗ ମ(Cookie/Token)ΛऔಘՄೳ ग़య : From cookie theft to BEC: Attackers use AiTM phishing sites as entry point toɹ further fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from- cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/

18. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 18 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ example.com example.net

19. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 19 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ example.com example.net

20. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 20 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ 50514.4
    051
    ೖྗը໘Λදࣔ example.com example.net

21. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 21 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ 50514.4
    051
    ೖྗը໘Λදࣔ 50514.4
    051Λ
    ਖ਼نαʔϏεʹૹΔ example.com example.net

22. Adversary-in-the-MiddleʢAiTMʣͷ࢓૊Έ 22 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ 50514.4
    051
    ೖྗը໘Λදࣔ 50514.4
    051Λ
    ਖ਼نαʔϏεʹૹΔ ϩάΠϯηογϣϯΛ
    औಘՄೳ example.com example.net

23. Ϣʔβʔ/αʔϏε͕ͱΕΔϑΟογϯάରࡦ • Ϣʔβʔ͕ύεϫʔυϚωʔδϟʔͷར༻ : ύεϫʔυ΍TOTPઃఆΛ ΦϦδϯ(υϝΠϯ)ͱඥ෇͚ͯ؅ཧ͠ɺҰக͍ͯ͠Δ΋ͷ͕ϑΥʔϜ ೖྗ࣌ʹબ୒Մೳ • αʔϏε͕WebOTPͷ࠾༻ :

    ૹ৴ͨ͠SMSϝοηʔδʹؚ·ΕΔΦϦ δϯ(υϝΠϯ)ͱOTPͷೖྗΛଅ͍ͯ͠ΔURL͕Ұக͍ͯ͠Ε͹ड৴ ͨ͠SMSʹؚ·ΕΔOTPͷ஋͕ϑΥʔϜʹࣗಈೖྗ 23

24. ύεϫʔυϚωʔδϟʔʹΑΔରࡦ 24 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ਖ਼نαʔϏεͷύεϫʔυ͕
    ϑΟογϯάαʔϏεʹ͸ఏҊ͞Εͳ͍ example.com example.net

25. WebOTPʹΑΔରࡦ 25 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ 50514.4
    051
    ೖྗը໘Λදࣔ ϑΟογϯάαʔϏεʹ͸051ࣗಈೖྗ͕ߦΘΕͳ͍ example.com example.net

26. • ೝূཁૉ : ॴ༗ • ϋʔυ΢ΣΞσόΠε಺ʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ ূΛར༻ • ηΩϡϦςΟΩʔΛࢦ͚ͩ͢ɺ৮ΕΔ(≠ੜମೝূ)͚ͩͰར༻Մೳ •

    ύεϫʔυೝূͱ૊Έ߹Θͤͨ2ஈ֊ೝূͰͷར༻͕޿·ͬͨ 26 FIDO w/ User Presence - Single-Factor Cryptographic Device/Software

27. FIDO w/ User Veri fi cation - Multi-Factor Cryptographic Software/Device

    • ೝূཁૉ : ॴ༗ + ஌ࣝ/ੜମ • ϋʔυ΢ΣΞσόΠε಺ʹ҆શʹอ࣋͞Εͨ҉߸伴Λ༻͍ͨެ։伴ೝ ূ ͱ ϩοΫղআͳͲͰ࢖ΘΕΔϩʔΧϧೝূ ͷ૊Έ߹Θͤ • ηΩϡϦςΟΩʔ + PIN • εϚʔτϑΥϯ / PC + ը໘ϩοΫղআ 27

28. FIDOͷϑΟογϯά଱ੑ • WebAuthn : WebΞϓϦέʔγϣϯͰFIDOΛར༻͢ΔͨΊͷϒϥ΢ βAPI • ར༻αʔϏε͸ࣗ਎ͷΦϦδϯ(υϝΠϯ)Λࢦఆ • ϒϥ΢β͸ͦͷ஋Λݕূͯ͠ෆҰகͷ৔߹͸ೝূෆՄೳ

    • ϑΟογϯάαΠτͱਖ਼نαʔϏε͕γεςϜతʹ۠ผ͞ΕΔ 28

29. FIDOͷϑΟογϯά଱ੑ 29 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ '*%0ʹΑΔ
    ௥ՃೝূΛཁٻ example.net example.com

30. FIDOͷϑΟογϯά଱ੑ 30 ग़య : From cookie theft to BEC: Attackers

    use AiTM phishing sites as entry point toɹfurther fi nancial fraud - Microsoft Security Blog https://xn--microsoft-921o9813a.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further- fi nancial-fraud/ ύεϫʔυΛਖ਼ن
    αʔϏεʹૹΔ '*%0ʹΑΔ
    ௥ՃೝূΛཁٻ example.net ϑΟογϯάαΠτʹਖ਼نαʔϏεͷೝূ৘ใ͸ૹΒΕͳ͍ example.com

31. FIDOͷ՝୊ • 伴؅ཧͷݎ࿚ੑΏ͑ͷϦΧόϦʔࠔ೉໰୊ • Authenticator(ηΩϡϦςΟΩʔɺରԠ୺຤)͕յΕͨɺແͨ͘͠ɺ ങ͍ସ͑ͨ৔߹ʹอଘ͞Ε͍ͯΔ҉߸伴͕ར༻Ͱ͖ͳ͘ͳΓɺશͯ ͷαʔϏεͰ࠶ొ࿥͕ඞཁ • όοΫΞοϓ •

    ೝূڧ౓Λམͱͣ͞ɺϑΟογϯά଱ੑΛอͭʹ͸ෳ਺ͷ Authenticatorͷొ࿥͕ඞཁ 31

32. ύεΩʔͷಛ௃

33. ύεΩʔ : FIDO multi-device credentials • 伴؅ཧΛσόΠε͔ΒϢʔβʔʹ • ϓϥοτϑΥʔϜϢʔβʔͱඥ෇͚ :

    Apple, Google, MS Account • ύεϫʔυϚωʔδϟʔ : 1Password(༧ఆ) • ͜Ε·ͰͷFIDOʹ͋ͬͨ伴؅ཧͷݎ࿚ੑ͸ࣦΘΕΔ͕ɺόοΫΞο ϓΛՄೳʹ͢Δ͜ͱͰ “ϑΟογϯά଱ੑΛ࣋ͪརศੑͷߴ͍ೝূํ ࣜ” ͱͯ͠ීٴΛૂ͏ 33

34. ύεΩʔͷڍಈ : https://webauthn.io 34 • ύεΩʔͷొ࿥(ੜ੒) : ֬ೝը໘ -> ϩʔΧϧೝূ(ੜମ/PIN)

    ϩʔΧϧೝূ
    ੜମ
    1*/
    ύλʔϯ

35. ύεΩʔͷڍಈ : https://webauthn.io 35 • ύεΩʔͰϩάΠϯ : ύεΩʔબ୒ը໘ -> ϩʔΧϧೝূ(ੜମ/PIN)

    ϩʔΧϧೝূ
    ੜମ
    1*/
    ύλʔϯ ผ୺຤͔Β΋
    ಉ༷ʹར༻Մೳ
    

36. ରԠ؀ڥ • “ύεΩʔରԠ؀ڥ” ≠ “FIDO multi-device credentials” ʹ஫ҙ͕ඞཁ • ϓϥοτϑΥʔϜɺ୺຤ɺϒϥ΢βͷ૊Έ߹ΘͤͰڍಈ͕ܾ·Δ

    • ύεΩʔ͕ಉظ͞ΕΔ΋ͷ : Safari on MacOS/iOS/iPadOS, Android + Chrome/Firefox • ύεΩʔ͕ಉظ͞Εͳ͍΋ͷ : Chrome on MacOS… 36

37. “hybrid” transport • “ผ୺຤ͷύεΩʔΛར༻ͯ͠ϩάΠϯ” ͕ՄೳʹͳΔ࢓૊Έ • QRίʔυ + BLE Ͱ઀ଓͨ͠୺຤ͷύεΩʔΛར༻Մೳ

    37

38. Conditional UI / Auto fi ll • Ϣʔβʔ໊/ϝʔϧΞυϨεೖྗϑΥʔϜʹར༻ՄೳͳύεΩʔ͕දࣔ ͞Εɺબ୒͢ΔͱύεΩʔͷೝূ͕࢝·Δ •

    طଘͷೝূํࣜͷUI͔Βͷ ”γϣʔτΧοτ” ͕Մೳ 38

39. ύεΩʔಋೖͷϙΠϯτ

40. ύεΩʔಋೖʹΑΓ࣮ݱ͍ͨ͜͠ͱ • શମ/ಛఆϢʔβʔͷ҆શੑ޲্ʁ • ඞཁͳೝূڧ౓ɺରԠ؀ڥΛࡉ͔͘ҙࣝ͢Δඞཁ͋Γ • ೚ҙͰͷϑΟογϯά଱ੑͱརศੑ޲্ʁ • γϯϓϧʹೝূํࣜΛ”૿΍͢”ײ֮ 40

41. ID࿈ܞͱͷؔ܎ • ID࿈ܞΛఏڙ/ར༻͢ΔଆͦΕͧΕʹύεΩʔରԠͷϝϦοτ͕͋Δ • Identity Provider(IdP) : ύεΩʔʹରԠ͢Δ͜ͱͰ࿈ܞ͢ΔRP΋ͦ ͷԸܙΛड͚ΒΕΔ •

    Relying Party(RP) : IdPʹґଘ͠ͳ͍҆શੑͱརศੑͷߴ͍ೝূํࣜ Λར༻Մೳ 41

42. ಋೖύλʔϯ • ϝΠϯͷೝূํࣜͱͯ͠ಋೖɺಛఆػೳΛར༻͢ΔࡍʹඞਢԽ • Φϓγϣφϧͳೝূํࣜͱͯ͠ಋೖ • ௚઀ಋೖ͸͠ͳ͍͕ɺಋೖ͍ͯ͠ΔIdPͱID࿈ܞ • OpenID ConnectͰ͸IdPͰ࣮ࢪͨ͠ೝূํࣜͷछྨɺಛ௃Λ఻ୡ

    ͢Δύϥϝʔλ͕͋Δ 42

43. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ύεΩʔͷొ࿥ • ͍ͭొ࿥ΛٻΊΔ͔ • Ϣʔβʔͷ৽نొ࿥ͷࡍʹཁٻʁಛఆػೳΛ࢖͏࣌ʁ೚ҙʁ • ొ࿥࣌ͷೝূڧ౓ •

    ॳճ͸ݱঢ়औΓ͏ΔೝূํࣜΛཁٻ͔ͯ͠Βʁ • 2ͭ໨Ҏ߱͸طʹొ࿥ࡁΈͷύεΩʔͰͷೝূΛٻΊΔʁ • ೝূڧ౓ʹറΓ͕ͳ͍ͳΒͦͷ··ʁ 43

44. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ϩάΠϯ • ύεΩʔ͕ಉظ͞Ε͍ͯͳ͍؀ڥ • ผ୺຤ͰͷύεΩʔΛར༻ʁ : “hybrid transport”

    • ೝূڧ౓Λམͱͤͳ͍ͷͰͦͷ؀ڥͰ͸ར༻ෆՄೳʁ • ೚ҙͷಋೖͳͷͰผͷೝূํࣜΛར༻ʁ 44

45. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ࠶ೝূ • ༗ޮظݶ੾Εɺॏཁͳॲཧͷલʹ࠶ೝূΛඞཁͱ͢Δ͔ • ࠷ऴϩάΠϯ͔ΒҰఆظؒܦͬͨΒύεΩʔʹΑΔ࠶ೝূΛཁٻʁ • ॏཁͳॲཧͷલʹ͸ຖճɺύεΩʔʹΑΔ࠶ೝূΛཁٻʁ •

    ύεΩʔͰ࠶ೝূͨ͠ΒҰఆظؒ͸࠶ೝূ͕লུʁ • ࠶ೝূ͕ඞཁͱͳΔΑ͏ͳॲཧ͸ଘࡏ͠ͳ͍͠ɺ༗ޮظݶ੾Εͷ৔ ߹͸ϩάΞ΢τঢ়ଶͱͯ͠ѻ͏ʁ 45

46. ύεΩʔಋೖ࣌ͷݕ౼ࣄ߲ - ϦΧόϦʔ • ύεΩʔ͕࢖͑ͳ͍ঢ়گʹ͓͍ͯɺϢʔβʔʹԿΛཁٻ͠ɺԿΛ෮چ ͢Δ͔ • ໰͍߹Θ͔ͤΒͷKYCͳͲͰϢʔβʔΛ֬ೝ͠ɺ࠶౓ύεΩʔΛొ ࿥ͤ͞Δʁ •

    ผͷೝূํࣜΛ࢖͍ɺύεΩʔΛ࠶౓ొ࿥ʁ 46

47. ·ͱΊ

48. ·ͱΊ • ݱঢ়࢖ΘΕ͍ͯΔϢʔβʔೝূํࣜͰ͸ϑΟογϯά଱ੑ͕՝୊ • ύεΩʔ͸FIDO(WebAuthn)ͷϑΟογϯά଱ੑɺϩʔΧϧೝূͷར ศੑΛอͪͭͭɺϦΧόϦʔͷ՝୊Λվળͨ͠࢓૊Έ • ύεΩʔͷಋೖύλʔϯɺಋೖʹ͋ͨΓߟྀ͢΂͖ϙΠϯτ͕͋Δ 48

49. ׬ ҙݟɺײ૝ɺ࣭໰ ͓଴͓ͪͯ͠Γ·͢ɻ