For decades in information security, passwords have been a major security headache. We’re all familiar with the problems with passwords: they’re difficult to manage, we’ve got hundreds to remember, and they are too easily cracked by cybercriminals.
So, in July 2012, six technology providers: Nok Nok Labs, PayPal, Lenovo, Validity Sensors, Infineon and Agnito, came together to work on a new authentication standard designed to finally solve the problem of easily compromised passwords, once and for all.
Together, they built FIDO, the Fast Identity Online authentication standard. This protocol was designed to improve interoperability between systems, enhance the security of authentication on endpoint devices, and reduce friction for users in having to authenticate their identity.
Since then, the FIDO alliance has been joined by dozens of global leading tech companies including Apple, Google, Microsoft, and Amazon. It’s become the industry standard for building passwordless authentication technologies, building the way toward a truly passwordless future.
To discuss the FIDO authentication standard and the benefits it can provide, we spoke to one of FIDO’s founding fathers: Phil Dunkelberger, President and CEO of Nok Nok Labs.
Dunkelberger has over 30 years of experience in the IT space, including eight years as co-founder and CEO of PGP Corporation. He has held senior management positions with Symantec, Apple Computer and Xerox Corporation, is a founding board member of the Cyber Security Industry Alliance (CSIA) and is Chairman Emeritus of TechAmerica’s CxO Council.
Who are Nok Nok Labs, and what challenges did you set out to solve?
Everything on the internet authenticates, but the idea that there should be universal authentication had really broken down.
Certain systems were using usernames and passwords, others used hardware tokens; there was no universal way for authentication to move forward, and because of that, we ended up with a Tower of Babel.
One of the problems in authentication—historically—has been distributing the endpoints. So, what we built was an endpoint standard.
We set out to build a standard plug and play capability for the different ways authentication works on any endpoint, whether it’s a tablet, a phone, a laptop—anything humans and terminals interface with.
Our drivers were usability and security, as well as meeting regulatory requirements and reducing cost. Those drivers took the form of a standard called FIDO: Fast Identity Online.
Who are Nok Nok Security’s target markets, and what solutions do you provide?
The two big markets that we’re in are mobile network operators and telcos—they’re the backbone of supplying authentication to the internet; without those big corporations and companies, we would not have things like global roaming—and then banks and FinTechs.
The solutions we provide are a replacement of usernames and passwords with what is now known as passwordless, frictionless authentication. Death to the password, right?
That includes everything from how we onboard people in a passwordless environment, to how we federate your identity once you’ve logged you in, so you’re not having to re-log in over and over again to your bank, or your phone company. And then ultimately, the vision was to build ecosystems.
All of these large organizations have their own ecosystems, where you can federate access across all of those. So, once I’m logged in, why can’t I make a plane reservation, a car reservation, a hotel reservation, and even a dinner reservation, without having four or five different systems, when I’m the same person?
And that’s what we’ve built. The FIDO alliance that we set up has had over 400 members contribute to the technology stack. And that’s why it’s a global standard, recommended by many of the standard’s bodies, to replace logins like the username and password.
When we talk about FIDO’s passwordless authentication, what does that look like in practice? What technologies are replacing the password?
The technologies most closely associated with passwordless authentication are biometrics, but that’s just one strand. Different usability, cultural imperatives and design imperatives require different things.
Because FIDO replaces the back-end attack surface of passwords, it gives you a good idea of who is authenticating in a really strong signaling environment. I call them assurance signals. We’ve focused way too much time on risk signals in the environment; we need to start looking at assurance signals.
So, I can tell you what fingerprint you logged in with, or where a selfie was taken, if you took a selfie for facial login, as an example. Because there is no big database of passwords or biometrics kept by the relying party on the back end, you now have flexibility—they’re authenticating you to the device, and the device is talking to the back end.
It’s a much easier, more secure way to authenticate. And you can adapt whatever is best for your users, especially in the consumer space, where you don’t control their devices, their apps, or even their cultural imperative around the world or where they’re logging in.
These technologies have been around for a while now, but we still see people continuing to rely on weak and unsecure passwords. How can we do more as an industry to increase adoption of passwordless auth?
One, I think it’s a shift of cultural behavior. And two, I think it’s also incumbent on people to start thinking differently about the endpoint and endpoint device security. It’s a design issue, and it’s an education issue.
I think that we have to take into consideration that it took a long time to get people even used to using passwords. And then we went through this whole period of training them to change their passwords to make them long and non-memorable and make them harder to use.
You now see the regulator saying, “We can’t keep using passwords. We even can’t be using SMS OTP because it is unusable and broken.” So, how do we change this? Just when we’re getting people used to SMS OTP, which is not secure and not really usable, how do we now—again—transform?
You’re also now changing user behavior. And when you change user behavior, you run into cultural imperatives.
We found that the first places that accepted biometrics on a large scale were in Japan and Pan Asia. They had been using biometrics for years on their devices and they understood there are both capabilities and limitations. That catching on has come much slower in EMEA and the United States. And so, you’ve got those kinds of things, that the industry has got to deal with.
In your view, why has FIDO in particular had such success, and become the industry standard?
I think FIDO has become a success because it isn’t one proprietary technology. We extended what was there; there was no rip and replace. FIDO works as a veneer over existing systems.
It supports a lot of the things that people want to fix. It makes it easier for devices to use, it gives the developer choices. It allows you to bring in different cultural imperatives, you’re not stuck to one way of doing things as we’ve done in the past.
It reduces costs dramatically. The cost structure to be able to deploy biometrics has gone down dramatically with the FIDO interconnection capability. And ultimately, it opens up a lot of new apps.
We’ve seen a lot of companies that we publish data on, that are not only saving money, but they’re also increasing revenue, because it’s a lot easier to use the applications.
That’s why I think so many people who are competitive with each other are adopting it. You’ll see Microsoft, Google and Apple— who tend not to agree on things—agreeing that this is a good way to go. You see big infrastructure players agreeing it’s a big way to go. You see all the chip manufacturers by and large, bringing it in.
But ultimately, it comes down to this whole digital transformation movement, which is about better usability, better security, and ultimately better confidence in your users and your systems.
What do you think is the biggest security risk that we should be talking about more as an industry?
I think it’s two things. Security has really moved up the stack in the last ten or fifteen years, but the fact that we’re still not encrypting the data source, and with the threat of the new quantum encryption coming, we still aren’t doing a great job of protecting data.
The second piece is that identity and access management has to be rethought. It’s a cultural change, as we move more and more toward thinking of infrastructure, as software defined networks, as an example, instead of as hardware.
We’ve got to really start thinking of security as data security and user security. If we don’t, we’re going to be in this endless loop of attack and defend, because we’re still playing with the same architecture we’ve used for the last thirty years.
And I would close with this. Ultimately, the reason we move things forward is innovation. We’ve got to continually be innovative, not just playing whack-a-mole in the security space.
You can learn more about Nok Nok Labs here.