在數位金融服務快速普及的今日，傳統的身份驗證機制面臨日益嚴峻的安全挑戰，包括網路釣魚、重放攻擊、中間人攻擊與生物辨識偽冒等。傳統帳號密碼搭配簡訊 OTP 的雙因素驗證方式，已無法有效防禦高度複雜的攻擊手法，同時也無法兼顧使用者隱私與資料可驗證性。
本研究展示了零信任架構下的去中心化身份驗證之實作可能性，提出一套去中心化多因素身份驗證系統，整合區塊鏈技術、憑證管與零知識證等技術，實現提升安全性、可追溯性與隱私保護能力的驗證架構。
本系統設計包含五大核心驗證模組，並搭配 Redis 作為驗證狀態控制與快取機制，以提升整體驗證流程的效率與一致性，確保身份資料具備不可竄改性。同時，整合 OTP、活體辨識與臉部比對三種技術，並使用Verifiable Credential建立憑證管理與撤銷機制。

In today's era of rapidly expanding digital financial services, traditional identity authentication mechanisms face increasingly severe security challenges, including phishing, replay attacks, man-in-the-middle attacks, and biometric spoofing. The conventional two-factor authentication method—combining username/password with SMS-based OTP—can no longer effectively defend against sophisticated attack methods, nor can it adequately ensure both user privacy and data verifiability.
  This study demonstrates the practical feasibility of decentralized identity authentication under a zero-trust architecture. It proposes a decentralized multi-factor authentication system that integrates blockchain technology, credential management, and zero-knowledge proof techniques to build an authentication framework that enhances security, traceability, and privacy protection.
  The system is designed with five core authentication modules and employs Redis for verification state control and caching, thereby improving the overall efficiency and consistency of the authentication process while ensuring the immutability of identity data. Additionally, it integrates OTP, liveness detection, and facial recognition technologies, and adopts Verifiable Credentials for credential issuance and revocation management.

致謝--------------------------------------------------------------------------------I
摘要-------------------------------------------------------------------------------II
ABSTRACT--------------------------------------------------------------------------III
目錄-------------------------------------------------------------------------------IV
第一章 緒論--------------------------------------------------------------------------1
1.1研究背景--------------------------------------------------------------------------1
1.2研究動機--------------------------------------------------------------------------2
1.3研究目的--------------------------------------------------------------------------3
1.4論文架構--------------------------------------------------------------------------4
第二章文獻探討-----------------------------------------------------------------------5
2.1過往身份驗證的發展-------------------------------------------------------5
2.2區塊鏈在MFA中的應用-------------------------------------------------------8
2.3 可驗證憑證(Verifiable Credentials, VC)-------------------------------11
2.4零知識證明(Zero-Knowledge Proof, ZKP)----------------------------13
第三章研究方法----------------------------------------------------------------------17
3.1 註冊流程設計-------------------------------------------------------------------18
3.2 驗證流程總覽-------------------------------------------------------------------19
3.3 各階段驗證模組設計----------------------------------------------------------20
3.3.1 帳號密碼驗證模組----------------------------------------------------20
3.3.2 OTP 驗證與密鑰衍生模組-------------------------------------------21
3.3.3 活體辨識挑戰模組----------------------------------------------------22
3.3.4 臉部辨識驗證模組----------------------------------------------------23
3.3.5 可驗證憑證（VC）模組------------------------------------------------23
3.3.6 VC 上鏈記錄與查詢模組--------------------------------------------24
3.4 零知識證明（ZK）驗證模組	----------------------------------------------25
3.5 驗證狀態與流程控管設計----------------------------------------------------26
第四章 系統的安全性分析--------------------------------------------------------------29
4.1 憑證填充攻擊（Credential Stuffing Attack）-------------------------------29
4.2 中間人攻擊（Man-in-the-Middle, MITM Attack）----------------------30
4.3 重放攻擊（Replay Attack）--------------------------------------------------30
4.4偽冒攻擊（Impersonation Attack）--------------------------------------------31
4.5 憑證偽造與濫用--------------------------------------------------------31
4.6 即時網路釣魚攻擊(Real-Time Phishing Attack) -----------------------32
4.7使用者匿名性與不可追蹤性-------------------------------------------32
4.8 小結-------------------------------------------------------------------33
第五章 結論與未來展望----------------------------------------------------------------34
5.1 結論-------------------------------------------------------------------34
5.2 未來展望-------------------------------------------------------------------35
參考文獻---------------------------------------------------------------------------37
圖目錄----------------------------------------------------------------------------VI
圖 2.1 可驗證憑證(VC)工作流程----------------------------------------------12
圖 2.2 ZKP 證明流程圖------------------------------------------------------14
圖 3.1 註冊流程-------------------------------------------------------------19
圖 3.2 驗證流程-------------------------------------------------------------20
圖 3.3 驗證狀態與流程控管設計圖---------------------------------------------28
表目錄----------------------------------------------------------------------------VII
表 2.1 驗證因子分類---------------------------------------------------------5

[1] W. A. Hammood, R. A. Arshah, S. M. Asmara, and O. A. Hammood, “User Authentication Model Based on Mobile Phone IMEI Number: A Proposed Method Application for Online Banking System,” in Proc. 2021 International Conference on Software Engineering and Computer Systems (ICSECS) & 4th International Conference on Computer Science and Information Management (ICOCSIM), 2021, pp. 411–416.
[2]S. Sharma, "The Pragmatic Review On Internet Banking And Associated Services In India", International Journal of Computing and Corporate Research, vol. 4, no. 4, 2014.  
[3]E. Erdem and M. T. Sandikkaya, "Otpaas-one time password as a service", IEEE Transactions on Information Forensics and Security, vol. 14, pp. 743-756, 2018.
[4] M. A. Hassan and Z. Shukur, “A Secure Multi-Factor User Authentication Framework for Electronic Payment System,” in Proc. 2021 3rd International Cyber Resilience Conference (CRC), Langkawi Island, Malaysia, Jan. 2021.
[5]L. O’Gorman, "Comparing passwords tokens and biometrics for user authentication", Proc. IEEE, vol. 91, no. 12, pp. 2021-2040, Dec. 2003
[6] X. Wang, J. Jia, Y. Cao, J. Du, A. Hu, Y. Liu, et al., “Application of Data Storage Management System in Blockchain-Based Technology,” in Proc. 2022 IEEE 2nd International Conference on Electrical Engineering, Big Data and Algorithms (EEBDA), pp. xx–xx, 2022.
[7] S. Haga and K. Omote, “IoT-Based Autonomous Pay-as-You-Go Payment System with the Contract Wallet,” Security and Communication Networks, vol. 2021, Art. no. 9923732, pp. 1–10, 2021.
[8] F. Stock, Y. K. Peker, A. J. Perez, and J. Hearst, “Physical Visitor Access Control and Authentication Using Blockchain Smart Contracts and Internet of Things,” Cryptography, vol. 6, no. 4, p. 65, 2022.
[9]V. Amrutiya, S. Jhamb, P. Priyadarshi and A. Bhatia, "Trustless two-factor authentication using smart contracts in blockchains", 2019 international conference on information networking (ICOIN), pp. 66-71, 2019.
[10] Woo-Suk Park, Dong-Yeop Hwang and Ki-Hyung Kim, "A TOTP-based two factor authentication scheme for hyperledger fabric blockchain", 2018 Tenth International Conference on Ubiquitous and Future Networks (ICUFN), 2018.
[11] Mingli Zhang, Liming Wang and Jing Yang, "A Blockchain-Based Authentication Method with One-Time Password", 2019 IEEE 38th International Performance Computing and Communications Conference (IPCCC), 2019.
[12] S. Patel, A. Sahoo, B. K. Mohanta, S. S. Panda and D. Jena, "DAuth: A Decentralized Web Authentication System using Ethereum based Blockchain", Proc. - Int. Conf. Vis. Towar. Emerg. Trends Commun. Networking ViTECoN 2019, pp. 1-5, 2019.
[13] Y. Liu, G. Sun and S. Schuckers, "Enabling Secure and Privacy Preserving Identity Management via Smart Contract", 2019 IEEE Conference on Communications and Network Security (CNS), pp. 1-8, 2019, June.
[14] X. Xiang, M. Wang and W. Fan, "A permissioned blockchain-based identity management and user authentication scheme for e-health systems", IEEE Access, vol. 8, 2020.
[15] F. Ghaffari, E. Bertin, N. Crespi, S. Behrad and J. Hatin, "A novel access control method via smart contracts for internet-based service provisioning", IEEE Access, vol. 9, pp. 81253-81273, 2021.
[16] I. Al-Otaibi, A. Alnasser, and F. Alshammari, “Efficient Authentication System Based on Blockchain Using eID Card,” International Journal of Advanced Computer Science and Applications (IJACSA), vol. 12, no. 9, pp. 202–208, 2021.
[17] C. Brunner, U. Gallersdorfer, F. Knirsch, D. Engel, and F. Matthes, “DID and VC: Untangling Decentralized Identifiers and Verifiable Credentials for the Web of Trust,” in Proc. 2020 3rd Int. Conf. Blockchain Technol. Appl. (ICBTA), Xi’an, China, Dec. 2020, pp. 61–66.
[18] S. Goldwasser, S. Micali and C. Rackoff, "The knowledge complexity of interactive proof systems", SIAM Journal on computing, vol. 18, no. 1, pp. 186-208, 1989.
[19] N. Bitansky, R. Canetti, A. Chiesa and E. Tromer, "From extractable collision resistance to succinct non-interactive arguments of knowledge and back again", Proceedings of the 3rd Innovations in Theoretical Computer Science Conference, pp. 326-349, 2012.
[20] Shuwan Sun, Weixin Bian, Dong Xie, Biao Jie, and Yi Huang, “Effective and Secure Two-Factor Multi-Server Authentication Scheme without Password,” in Proc. 2022 3rd Information Communication Technologies Conference (ICTC), 2022, pp. 156–161
[21] Rajashree Konwar, Debojeet Jha, Rajat Agrawal, Rishab Purkayastha, and Indrajit Banerjee, “A Two-Factor Authentication Mechanism Using a Novel OTP Generation Algorithm for Cloud Applications,” in Proc. 2024 IEEE 14th International Conference on Cloud Computing (CLOUD), 2024.