探討不同行動支付身分認證機制之可行性

Abstract

本研究欲探討不同行動身分認證機制在臺灣應用之可行性。由於行動支付不論是概念的推廣或是服務的普及在臺灣都還算是剛起步的創新階段，因此理論基礎採用創新擴散理論，並透過質性研究的訪談方法，以α銀行與使用者做為研究對象，了解兩個族群的對於密碼辨識、裝置辨識及生物辨識三種不同身分認證機制的認知與看法。 過去對於行動支付資訊安全的相關研究大多數都是透過主觀安全(使用者所認知的安全程度)來討論，較少由客觀安全(明確而具體的技術特性)來進行。此外，過往文獻也少有針對身分認證機制來進行可行性分析。因此本研究透過身分認證機制的技術特性，來了解使用者對於行動支付的資訊安全認知程度。即藉由客觀安全的角度做為出發點，對主觀安全進行討論。 研究結果發現，以銀行的角度來看，密碼辨識是目前最可行的方式，但在裝置普及率夠高的情況下，裝置辨識的服務應用會逐漸推出。生物辨識則是受限於技術成熟度及特徵資料蒐集的問題，目前可行性並不高。然而使用者對於身分認證機制的採用意願最高的是生物辨識，其次是裝置辨識，最後才是密碼辨識。此外，本研究也發現安全性、便利性是使用者相當重要的考慮因素，因此行動支付服務供應商在身分認證機制的選用上，除了提供足夠的安全性，也要顧慮使用者的使用體驗。

The aim of this research is to evaluate the feasibility of different mobile payment authentication mechanisms in Taiwan. Viewing these authentication mechanisms as a form of innovation, this research adopts innovation diffusion theory, and carries out a qualitative case study in a local bank and users in Taiwan. In particular, we focus on the perception of bank managers and potential users about three types of mechanisms, including password, device authentication, and biometric. Our literature review shows that most prior researches on information security of mobile payment were based on the subjective security, and very few studies evaluate the aspect of objective security. Subjective security is defined as the degree of the perceived security from the viewpoint of the customer, while objective security is a concrete technical characteristic. Additionally, only limited studies were available on the feasibility evaluation of authentication mechanisms. Hence, this research tries to understand the degree of perceived information security of mobile payment of users through the technical characteristic of authentication mechanisms. The empirical results indicate that in the opinion of α bank, password is the most used mechanism. Because of the limitation of technical maturity and data collection, our findings show that biometric is not feasible at present. However, we found that biometric got the highest users’ intension to adopt authentication mechanisms, second one is device authentication, and password is the last. Moreover, we also noticed that users were quite concerned about safety and convenience. As a result, while choosing authentication mechanisms, mobile payment service providers not only offer adequate safety but also need to consider user experiences.