13 Nov

3 Min read

Passwordless authentication becomes a reality, really

November 13, 2020 Nok Nok News 0 comments

Passwordless authentication has finally come of age. The final piece of the puzzle is what is happening at Apple and their support of the various FIDO2 standards, including adding the Web Authn protocols to Safari running on iOS v14 devices. These protocols are useful, because web application servers can integrate with strong authenticators already built into devices, such as Apple Touch ID/Face ID, Android and Windows Hello. This means that these servers can authenticate the user without directly receiving any private keys or any shared secrets. One of the largest MNOs NTT DOCOMO in Japan already deploys actual passwordless apps.

Before Apple’s implementation, there was ubiquitous support for FIDO across native mobile applications on Android and iOS devices, but not for browser applications. Microsoft, Google and Firefox Mozilla added FIDO support for browsers but, without support in Safari, there was a gap to achieving passwordless. Many organizations were waiting to see if Apple would jump on the bandwagon.

Why is this particular Apple implementation important? There are several reasons. First, biometrics are now used by more people and found in more phones than ever before. Duo reports in a 2019 survey that 77% of smartphones have biometrics configured. Next, before FIDO2 you had to combine device firmware with specific software and an app that was written for this task. Now you have a standards-based approach that will work with any of the major browsers in any context. It also means that finally we can ditch our one-time password apps on our smartphones (such as Authy, Lastpass and Google and Microsoft Authenticators) and your HW OTP Tokens and just use the phones themselves as authentication devices. Finally, this makes FIDO passwordless logins the most secure mechanism of authentication and also the easiest to use. We no longer have to ask users to trade off usability with security: they can have both.

Certainly, there have been other passwordless applications outside of the FIDO effort, as mentioned in this piece in CSOonline. But all of these share common drawbacks: they are vendor-specific, they require special code to integrate with their authentication servers, they make use of existing authentication smartphone apps or they haven’t been tested at the scale that can be used by global enterprises. Speaking of which, FIDO implementations are being used today by millions of users, and they also save time and frustration. Intuit found that their FIDO-enabled mobile app had three major benefits: it cut down on phishing attempts, reduced by 20% the login times for users, and improved by 6% the number of successful logins. They are working on integrating FIDO into their websites’ logins.

Passwords are painful, no doubt. We have too many of them to easily remember, and the number of multi-factor solutions have usability compromises that require a security expert to explain and deploy. It is time to take advantage of FIDO and it is timely that we have the support by Apple of WebAuthn. This could well be a watershed event for mobile ecommerce, making a big incentive for using your smartphone for making online purchases. No more having to download an app for buying from an online storefront when you can just use your browser on iOS, Android, or Windows. You have a simple login and you can get better security than you had before.

26 Sep

5 Min read

S3 Suite FIDO2 Certified

September 26, 2018 Nok Nok News 0 comments

Nok Nok’s S3 Suite is FIDO2 Certified as Next-Generation Authentication Platform Now Includes FIDO2 Certification

Nok Nok, the leader in next-generation authentication and a founder of the FIDO (Fast IDentity Online) Alliance, today announced its award winning Nok Nok^TMS3 Authentication Suite (Nok Nok™ S3 Suite) has been FIDO2 certified by the FIDO Alliance. The Nok Nok^TMS3 Authentication Server is the first FIDO universal server certified for all FIDO protocols (UAF, U2F and FIDO2). The FIDO2 certification of the Nok Nok solution will provide enterprises the ability to quickly integrate standards-based, strong authentication solutions into their existing security environments, allowing companies to bring their customers and end users the benefits of easy to use, frictionless authentication regardless of the application, the platform, or authenticator – biometric, token or wearable.

In addition, for developers interested in quickly deploying and maintaining FIDO authentication within their environment, Nok Nok Labs has rolled out the Nok Nok™ S3 Authentication SDK. This new Nok Nok solution enables developers to deploy, maintain and monitor their own server infrastructure. With the introduction of the Nok Nok Labs Developer Program, developers can quickly learn how to implement FIDO and Web Authentication (WebAuthn) standards in existing applications and mobile devices to meet multi-factor authentication requirements that reduce and eliminate reliance on the use of passwords and legacy one-time password (OTP) tokens for authentication.

“Every day there is news of a new phishing or other scalable attack, caused by the use of weak and stolen passwords,” said Phillip Dunkelberger, CEO & President of Nok Nok Labs. “Our breadth of experience as the most broadly deployed FIDO-based platform puts us in a unique position to deliver phishing-resistant, privacy-conscious authentication in a passwordless user experience. We look forward to bringing these solutions and benefits to our customers and partners as we deliver on our vision of fixing the security and ease of use flaws on the internet.”

More than five years ago, Nok Nok Labs pioneered its modern authentication products to bring consumers and service providers authentication solutions that are interoperable with any application and meet industry standards and global regulations. A a founding member of the FIDO Alliance, Nok Nok Labs’ has helped lead the movement in the development, industry acceptance and deployment of the FIDO Alliance UAF, U2F and FIDO2 protocols. Today, Nok Nok Labs has globally deployed products that implement all of the FIDO protocols, with support for tens of millions of end user customers of leading service providers in key industries including banking, e-commerce, mobile network operators and healthcare.

“As a founding member of the FIDO Alliance, Nok Nok Labs has been a valued contributor to the creation of all FIDO specifications including FIDO2. With today’s FIDO2 certification, the Nok Nok Labs Authentication Server is the first Universal Server certified for all FIDO specifications. This achievement illustrates its ability to address a wide variety of use cases and provide a range of authenticator options to service providers looking to combat phishing and other scalable attacks with simpler and stronger FIDO Authentication,” said Brett McDowell, executive director of the FIDO Alliance.

Nok Nok S3 Authentication SDK
The Nok Nok S3 Authentication SDK allows customers to embed FIDO authentication into their backend infrastructure. The Nok Nok S3 Authentication SDK package includes the Nok Nok Server SDK (Java libraries) as well as the Nok Nok App SDKs for mobile apps. The Server SDK libraries can be embedded into application backend authentication modules, as well as authentication servers such as products from Nok Nok Labs OEM partners. To learn more about the Nok Nok S3 Authentication SDK and OEM Partners who can assist with implementations.

Nok Nok Labs Developer Program
To assist developers who are deploying FIDO-based strong authentication into their existing native mobile applications and web applications, Nok Nok Labs is introducing the Nok Nok Labs Developer Program. The ecosystem around Nok Nok Labs has grown; tapping the expertise of this growing community through the developer program will assist organizations using any FIDO protocols including UAF, U2F, and the latest FIDO2 WebAuthN standards. Learn more about the program.

About Nok Nok Labs
Nok Nok Labs provides organizations with a next-generation authentication platform for cloud, mobile and IoT applications that enables a strategic approach to identity & authentication that is vital to modern business. The Nok Nok^TM S3 Authentication Suite (Nok Nok™ S3 Suite) enables organizations to accelerate revenues, reduce fraud, and strengthen security and privacy. The Nok Nok™ S3 Suite brings a unified approach to deploying easy-to-use, easy-to-deploy secure authentication infrastructure that includes support for and innovates beyond standards such as FIDO and other specifications. Nok Nok Labs is a founding member of the FIDO Alliance with industry leading customers and partners that include Fujitsu Limited, NTT DOCOMO, PayPal and Lenovo. For more information, visit www.staging.noknok.com.

Read the Official Press Release

11 Aug

5 Min read

Mobile Security Arms Race: FIDO2, Stronger Biometrics, and More

August 11, 2018 Nok Nok News 0 comments

Support for on-device biometric authentication has greatly enhanced the security of mobile devices. Mobile devices come with a variety of biometric mechanisms, but they may vary in their efficacy and security levels. Recognizing this, Google recently announced they are refining the way Android differentiates between weak and strong on-device biometrics. Android will adopt new metrics that provide an objective assessment of the ease of circumventing the biometric. For example, let’s consider voice authentication. How easy is it to bypass the biometric using a voice recording or doing your best voice impression? For face authentication, can you fool it using a picture or a silicone mask created from a 3D printed mold? By factoring in these additional metrics, Google is raising the bar for biometrics.

It’s important to recognize that not all fraud is necessarily malicious in nature. In 2017, 86% of all chargebacks were probable cases of “friendly fraud”. Biometrics can be a source of friendly fraud, for example when multiple people have enrolled their fingerprints on a shared device. Early on, Nok Nok Labs worked with authenticator vendors to pioneer concepts for friendly fraud protection. Some of these concepts were incorporated into FIDO and made their way into mobile platforms, available to all apps, while others remain a proprietary part of our solutions and IP portfolio.

In the previous blog, we talked about FIDO protocols and how it makes it possible to deliver strong authentication to users at population scale and changes the economics of authentication. One of the FIDO protocols is called FIDO2, and Android now comes with native FIDO2 APIs. This means you can build FIDO2 into your native Apps, and Web Apps can use FIDO2 in browsers. By providing FIDO2 support, Android greatly reduces the chance of account takeover and scalable attacks such as phishing as compared to passwords.

Another security concern on mobile devices is how private keys are protected on the device. Strong authentication relies on keys, and many Android devices can store and process them in a protected part of the main processor called the Trusted Execution Environment (TEE). In this way, malicious software cannot access the keys. However, storing keys in a separate chip could add security beyond TEE, although this is not always the case depending on implementation. Some modern Android devices contain a security chip called a Secure Element. Nok Nok Labs worked with security chip vendors and also with Telecom companies to build this capability for certain devices. Now, in Android P, this feature, known as StrongBox, is generally available.

Storing keys in hardware is important, but how does your backend know that it was stored in hardware? Nok Nok Labs developed the concept of attestation which provides cryptographic proof that a key has the protection of hardware. This capability is built into the FIDO protocol, and it is supported natively in Android. Nok Nok has also helped design and implement metadata services for attestation, a subject we will visit in future blog posts.

To safeguard against account takeover, an app can get confirmation from the user for a high-value transaction. To make this work, the mobile OS needs to provide the ability to display a message to the user such that the message cannot be altered by malicious software. You can think of this feature as “what you see is what you sign”. A few years ago, Nok Nok Labs worked with TEE vendors to develop a proof-of-concept showcasing this concept. The notion of a tamper-proof transaction display is built into FIDO, and Google has built this into Android P, which can close out the possibility of phishing completely if correctly used with FIDO.

Although Android has been getting more secure over the years, progress has not been in a straight path, as seen here in this timeline of Android OS releases versus features:

Not all security features are released as part of the operating system. Android has another release vehicle called Google Play Services. The timeline below shows security features delivered this way:

Complicating matters, Android has introduced security features and then superseded them by newer variants, sometimes changing the way the underlying biometric subsystem works. Also, with the ever-changing threat landscape, the evolution of security on mobile operating systems will continue. As an app developer, it can be difficult to keep up with this fast pace of change. Using FIDO authentication is one way to address this dilemma. With FIDO, you don’t need to change your app or backend infrastructure to take advantage of the mix of security capabilities available now and in the future.

We have also seen a similar evolution—perhaps more linear and consistent—in Apple’s iOS. Nok Nok has been the first to adapt these new capabilities to deliver FIDO based authentication on Apple’s devices as a part of our commitment to deliver to authentication for any device, any authenticator.

You can try out Nok Nok’s S3 Authentication Suite, which builds on top of the FIDO standards now.

Try Now

18 Jul

3 Min read

What is FIDO2?

July 18, 2018 Nok Nok News 0 comments

Whether you’re a developer, IT Manager or end-user, you’re familiar with the problems with passwords. They tax end-users, make your infrastructure vulnerable, and are susceptible to scalable attacks. Nok Nok Labs founded the FIDO Alliance in 2013 and brought its key inventions to create a framework of FIDO standards to help eliminate passwords.

With FIDO, end users get simple and unphishable authentication appropriate to their use case, developers get a single API that shields them from the complexity of authenticators and security mechanisms, and IT operators get a single backend that can select the right authenticator for a user by policy regardless of end-user platform or use case.

FIDO makes it possible to deliver strong authentication to users at population scale and changes the economics of authentication. FIDO protocols are now widely deployed commercially to over 3 billion users by the world’s largest Payments, Banking, Insurance, and Telecom companies. So far, FIDO protocols have addressed the mobile use case at scale across all operating systems and allowed authentication in browsers and on non-mobile devices through the use of the phone or a USB token as an authentication factor.

To reach an even wider audience, Nok Nok Labs has worked with Google, Microsoft and a few other partners to bring FIDO natively into Browsers and Operating systems. This new effort, best understood as “FIDO for Browsers”, sits next to the existing FIDO protocols that can be thought of as “FIDO for Mobile Apps”. The new work provides a standard API that allows users to log in with FIDO in a browser without a password and to use phones or tokens as authenticators.

FIDO2 is comprised of two parts. First, there is Web Authentication (aka WebAuthn), which is the JavaScript API (application programming interface), a W3C standard. The FIDO Alliance and the W3C worked together to develop this new standard that platform vendors are incorporating into major browsers, for example, Mozilla, Chrome, Edge, and WebKit. Second, there is the Client to Authenticator (CTAP) protocol. CTAP allows FIDO2-capable devices to interface to external authenticators over bluetooth, USB, or NFC. Web Applications do not use CTAP directly.

Here you see a high-level architectural view of FIDO2:

Here you see the 3 components on the client side:

Web pages that use the W3C WebAuthn JavaScript API, for example, using an SDK from Nok Nok Labs
The Web browser that implements the WebAuthn API and connects to the FIDO2 subsystem of the underlying operating system.
Authenticators that the subsystem accesses to verify the user.

The server side has the relying party’s web application connected to a FIDO2 Server, for example, from Nok Nok Labs.

For more details on WebAuthn, you can review the W3C JavaScript API. As you may note, the WebAuthn API is extensive. Nok Nok provides an SDK with a simpler API that handles the lower-level REST (Representational State Transfer) and WebAuthn calls. With the Nok Nok SDK, integrating FIDO2 into your application is considerably simplified.

Platform support for FIDO2 and WebAuthn is evolving. It is supported on Edge, Chrome, and Firefox browsers, and in Android apps. WebAuthn is a W3C approved standard. Over time the list of platforms and browsers should expand, so stay tuned! You can also try out FIDO now.

Try Now

Contact Us

Latest Posts

Navigation

Please complete this form to view and download this resource.