02 Apr

3 Min read

How BBVA is using FIDO to protect their customer accounts

April 2, 2021 Nok Nok News 0 comments

Does your bank still think using SMS one-time passcodes are the only additional authentication factors? Mine still does, and I wish I could easily switch to another bank that is more enlightened about their security, such as BBVA. This international bank, which has customers in Spain, the US, Mexico and South America, has been a big supporter of FIDO authentication protocols and uses the Nok Nok S3 Authentication Suite.

Banking is one of the last bastions of old world thinking when it comes to authentication. A quick scan of a directory of banks offering multifactor authentication (MFA) show that most are still stuck in the past. BBVA is the first Spanish bank that has adopted FIDO methods for its customers.

FIDO leverages existing biometric methods for authentication, such as fingerprint and facial recognition, that are built-into the more recent smartphones. This means customers don’t have to go through more complex procedures to secure their transactions. Customers can also quickly check to see which of their phones and laptops have accessed their account with a list of “my secure devices,” which is a quick way to find out who has been authorized to use your account.

Banks though should be more forward-thinking and embrace FIDO, especially those banks that are moving towards having a more capable digital footprint. There are three reasons: First, account takeover fraud is rampant and increasing. Phishing lures are getting better, especially during the pandemic where customers are not necessarily paying attention to dodgy Covid-related messages that could cause a compromised account.

Second, PSD2 regulations require better authentication methods. The latest version of the Payment Services Directive of the EU has created the strong customer authentication requirement for all customer-initiated online payments and bank transfers and the EU began enforcing this requirement last year. This means when a customer wants to transfer funds, for example, they would need to make use of MFA to authenticate themselves. FIDO is one of the easiest and most secure ways to accomplish this, and the Nok Nok tools can enable this “step-up” authentication to make it seamless for the bank’s customers.

This means that authentication is not just accomplished when a customer logs into their account but as needed to safeguard their activities and protect the high risk accounts with a more secure process. The beauty of FIDO is that this protection is delivered without putting an additional burden on the user.

Finally, SMS-based authentication is a security sinkhole and can easily be compromised. The record of various stories about these compromises goes back several years. Most recently was this piece in Vice that described how one third-party utility can be used to gain access to your SMS identity without any subscriber even knowing it has been compromised. Banks really shouldn’t rely on SMS for any authentication activity.

BBVA announced last year that they began deploying Nok Nok’s software across their customer base, and since then many of their customers are using FIDO to authenticate. “Traditionally, one of the biggest challenges of authentication systems has been to balance security with user experience. Due to the FIDO standard, we are confident that both elements work together seamlessly to provide customers with the highest security standards, along with a transparent and agile user experience,” says Juan Francisco Losa, BBVA’s Global Technology and Information Security Officer.

Nok Nok has numerous banking customers using their FIDO tools, including the Iceland-based Landsbankinn and the South African-based Standard Bank. Now if only I could get my own bank on board with FIDO.

20 Mar

3 Min read

Passwords are like gum on your shoe…

March 20, 2021 Nok Nok News 0 comments

We all hate passwords. That’s not a revelation. We all have too many, we can’t keep track of them, they are the top source of breaches, they cost organizations billions and Verizon reminds us every year of this!

So why are they so difficult to get rid of?

For the most part, it’s because up until recently there was nothing better. Passwords – a shared secret – provide a common way to authenticate across any device. But it’s a single factor that is easily compromised and no longer practical in our digital world where we have to remember, on average, 90 of them. To get around the inherent security weaknesses and user experience issues, companies have invested in risk signals, OTPs, session cookies and other add-on strategies. But at the end of the day, there is still an underlying password that can be compromised, and causes user friction.

The good news is that over the last 5 years, the fabric of identity and authentication has been undergoing a wholesale upgrade from username and passwords to cryptographic keys – aka FIDO. What that means is that you can replace 2 weak factors (for example passwords and OTPs) that are both vulnerable to phishing attacks (and both add friction!) with a strong multi-factor approach that is more convenient and more secure at the same time. Those factors are 1) the device that people already have (their phones, their PCs, their tablets) that are now cryptographically bound and 2) the user verification performed by the device (e.g. fingerprint sensor, facial recognition, PIN).

The FIDO protocols make it possible to replace passwords with strong multi-factor authentication that is very user friendly – a swipe of a finger, a look into your phone’s camera, typing your Windows Hello PIN, etc. Most users prefer these alternatives – Apple made them popular when they introduced TouchID. Most companies have implemented biometrics in their mobile apps to alleviate some of the password friction. Very often, however, the password is simply cached so that approach provides no improvement to security. And, when the user authenticates to the web version of an application either on their phone or PC, they’re back to… you guessed it… the annoying password.

Up until last year, one of the excuses for sticking with passwords was that Apple wasn’t on board yet with FIDO – so the puzzle was incomplete. That’s no longer the case as Safari now supports FIDO – joining Microsoft, Google, and Firefox Mozilla in the quest to eliminate passwords. Now that FIDO adoption across the ecosystem makes it practical to extend the “TouchID” concept to any device and channel, we can finally scrape off the gum. Can’t we? The challenge is that while it seems like a no-brainer – easier, more secure — it’s a change. Digital transformation requires cross functional support. Each stakeholder must understand the value to their organization, and why it makes sense to take a strategic, new approach versus more tactical add-ons. The organization must also have a clear roadmap for moving from the legacy approaches to the new paradigm — what I call “transition vision”.

Stay tuned for my next blogs where I’ll discuss aligning internal stakeholders on the many business benefits, the value of a strategic approach, as well as best practices for embarking on your journey to passwordless.

19 Jan

7 Min read

Common Questions and Answers Around Delegated Authentication and PSD2

January 19, 2021 Nok Nok News 0 comments

With financial services providers anticipating the implementation of PSD2 regulations in Europe next year, The Paypers invited us to sit down with Netcetera and the Aite Group for a webinar last fall.

The full discussion was very rewarding and both the opportunities and challenges of compliance were discussed in detail. If you are interested, you can see the full recording here.

Three central themes emerged from the questions that were asked during the event and we wanted to take a moment to go into a little more detail about Delegated Authentication, 3DS2, FIDO Authentication and the path to implementation.

Delegated Authentication:

We should start by referring you to the most recent webinar that Netcetera offered in early December: Simplifying the Checkout Experience with 3ds SDK and Delegated Authentication. In it, they go into a deeper discussion on what delegated authentication is and how it is performed.

It is important to realize that delegated authentication is new. The specifications are brand new and certification programs on how delegated authentication should be performed and whether or not it is “compliant” are just being deployed. Within the next year, all large merchants will be looking at delegated authentication and finding ways to implement it.

Delegated authentication has the potential to shift liability for chargebacks from the merchant to the card issuer. However, there are two flavors of delegated authentication. In the first, weaker case, the merchant simply tells the issuer that “Yes, I have authenticated this user”. The merchant provides no proof that they are compliant with the specifications of strong customer authentication for this transaction. This flavor does not shift the liability. However, if the merchant also provides proof with their attestation – for example, the “FIDO blob” – then the liability for the chargeback shifts to the issuer rather than the merchant.

While delegated authentication is in its infancy, there is no need to wait to integrate strong customer authentication into your customers process flow. After all, the customer will still need to authenticate for other purposes – sign in, add a new card, change shipping address, for example. The most foresighted of merchants are implementing SCA solutions now that can integrate into 3DS2 and are capable of being used for delegated authentication even while the details are being worked out by the payment networks and operators.

3DS2

Initially deployed by Visa as “Verified by Visa” and then “Visa Secure”, 3DS has been adopted by Mastercard, American Express and other major card issuers. This protocol connects merchants, card networks, and financial institutions in order to verify transactions and share data. Additional steps are integrated to help protect cardholders and merchants.

In the early days of E-Commerce, 3DS1 was deployed and quickly became known as a “conversion killer” due to the level of friction it introduced into the transaction process. 3DS2 was specifically designed to reduce friction while meeting strong customer authentication requirements.

We have worked closely with Mastercard to design what is affectionately known as the “FIDO blob” that can be inserted into the 3DS rails for inclusion into a payment approval by a card issuer. From the customer’s point of view, enrollment into either 3DS2 or FIDO authentication will be fairly specific to the issuer or merchant (those we call the “Relying Parties”). While this enrollment process is related to authentication, it actually falls into the category of ID proofing.

Every relying party has a process for granting and resetting identity credentials – e.g. usernames and passwords. Usually, this process includes some sort of ID proofing such as an SMS message with a one-time passcode or using a service such as Jumio or OnFido. Nok Nok has integrated an API that provides an easy combination of whatever ID proofing approach the relying party has with our authentication solution. We have worked very closely with many multinational companies to ensure that the customer flow for FIDO registration is as easy and frictionless as possible. Once the device is registered, any information returned from an authentication challenge can be inserted into the 3DS rails for payment approval by the issuer.

Most issuers are ready for 3DS2 but many merchants are not. A large share of transactions are still using 3DS1 (and thereby killing conversions) or no 3DS at all. With the need for strong customer authentication, now is the time to implement such technologies to fully integrate the checkout process with the best current technology.

FIDO Authentication

The power inherent in FIDO Authentication is its versatility. FIDO-certified authentication allows for a wide variety of biometric options to confirm identity. However, the design specifications of FIDO require that a relying party does not store biometric templates. This raises the question: “How does the merchant know my biometric belongs to me?”

At the device registration stage, a relying party determines that a device and authenticator is in the hands of the client to whom the account is registered. Each relying party – having different levels of risk tolerance, anti-fraud requirements, or levels of access to sensitive data – may deploy different methods of determining this fact. Upon registration, the biometric template is stored on the device while a cryptographic key pair is registered with the relying party. The relying party stores the public key in their server while the private key is stored on the customer’s device – preferably within secure silicon like a trusted execution environment (TEE). The authenticator (i.e. fingerprint scanner) will match a new scan with the template and “unlock” the private key to answer a challenge from the relying party – thereby proving that your biometric belongs to you.

Importantly, this prevents a relying party – such as a merchant – from assuming the risk of holding biometric templates for all of their customers on a centrally stored database. Such vulnerabilities have led to fiascos such as the breach Aadhaar, India’s biometric identity system. Additionally, in the European Union, GDPR becomes a potential issue for storing any personally identifying information – such as a biometric template.

Behavioral biometrics are an intriguing path of technology that could make silent authentication truly widespread. The state of the art – however – is that most solutions store the behavioral template on central servers – violating a key tenet of the FIDO protocols. That being said – there have been discussions between key members of FIDO and providers of behavioral biometric technology that could lead to eventually including that modality in the future.

Implementing Solutions

We all hope for a better, brighter future with friction-free, highly secure payments – but how easy will it be for traditional issuers and merchants to adopt or implement these schemes? Fortunately, quite easy. From a technical perspective, the industry has done a great deal to facilitate adoption of FIDO and 3DS2. Many global banks have already worked with Nok Nok to deploy FIDO for their login and are expanding their usage to other areas such as transaction confirmation.

Card networks are leading the way regarding 3DS working on schemes that will help issuers, acquirers, PSPs and merchants to participate and adopt the technology quickly and efficiently. The specific method for inserting the “FIDO blob” into the 3DS rails is already defined in the upcoming 3DS 2.3 specification and we are developing multiple systems with our partners – such as Netcetera – to deliver this capability.

The take-away is that, while some worry that PSD2 will be the return of the “conversion killer”, we have developed technology that will prove just the opposite. Rather than adding friction to the checkout process, it is now possible to see a process so smooth that the customers don’t even notice they are authenticating. We have done it before with customers at T-Mobile. We look forward to bringing this technology to you.

23 Dec

5 Min read

Predicting the Unpredictable: What’s Next for Digital Identity in 2021

December 23, 2020 Nok Nok News 0 comments

In all of my years working in this industry, 2020 has been one of the most challenging ones. COVID-19 derailed business-as-usual for virtually every organization across every industry, forcing them to set aside their existing strategies and quickly pivot to deliver remote connectivity at a massive scale to accommodate their workforces, customers, and more. On top of the sheer scalability and efficiency challenges, security risks further raised the stakes as hackers sought to take advantage of the pandemic’s disruption.

As I reflect on the challenges brought on by this year’s uncertainty, here are my top three predictions of how 2020 will shape the industry next year.

Contactless QR code security will become more critical than ever

The use of QR codes has extended beyond just restaurants and hotels. From being posted on office walls to keep employees advised of updates on procedures and processes to airport parking lots and more – you can pretty much find them anywhere with the arrival of COVID-19. While QR codes bring much-needed consumer convenience in these unprecedented times, they also serve up a menu of security concerns as well.

In 2021, even as vaccines are (hopefully) distributed, the reliance on QR codes will remain. The unparalleled convenience will cause them to stay as a lasting impact from the pandemic. Consumers will continue using their personal devices to scan QR codes and enter information like name, email address, phone number, and more. The problem is that QR codes are appealing targets for hackers to get their hands on sensitive data. A hacker could easily embed a malicious URL containing custom malware into a QR code, which could then exfiltrate data from a mobile device when scanned. Building QR codes that direct consumers to dangerous websites expose them to malicious attacks across mobile-threat vectors, including texts, instant messages, or even spam emails. With this in mind, organizations leveraging QR code technology will need to build stronger, standards-based authentication into the systems; otherwise, related hacks will skyrocket in the new year, and consumers will pay the price.

Risk signals are out. Assurance signals are in

In 2020’s digital world, applications, devices, and users often live and work outside corporate boundaries. Continuous assessment of contextual factors (user, device, location, network, threat signals, and more) provides secure access to corporate resources regardless of where they’re hosted. Remote work is here to stay, which means former physical perimeters have been disrupted, and one-time authentication for access to all resources is no longer valid. With the threat landscape more active than ever before, inadequate digital ID verification can heighten risks and liability. Thus, more specific assurance signals of who is in and out of our networks will become essential in 2021.

As organizations move away from risk signals and put a stronger emphasis on these assurance signals, they will be forced to consider all parties within their network to provide a centralized approach to defining and monitoring security controls. Knowing exactly who is there will become one of the most important pieces of organizations’ security postures in the new year.

Remote work will be polished by cleaning up rushed security and adding strong UX

COVID-19 has shined a spotlight on the culture of breaches in 2020. With the abrupt shift to remote work, organizations were forced to shift priorities and rethink approaches to securing remote workers. Many organizations found success in implementing controls for managing remote workers suddenly. However, many were not prepared for the number of phishing and ransomware attacks that came with it.

To succeed in the post-COVID-19 era, organizations must rethink their strategies and offerings to accommodate a new security landscape. As organizations evaluate their 2021 budgets, they will be forced to allocate a portion towards the weak areas that COVID exposed in 2020. As companies take a more holistic view of their security infrastructure, there needs to be a greater emphasis on embedded security in order to prevent further damage as the remote work trend continues.

While it is next to impossible to completely prevent cyberattacks, more in-depth efforts towards security are imperative in this age of heightened risks. Organizations will need to remain hyper-vigilant on striking a balance between strong user experience and robust security protocols. Though gaps and hiccups have slipped through the cracks in 2020 due to rapid transformation, organizations will need to polish their processes in 2021 to ensure users are both satisfied and protected.

While there’s no crystal ball for what 2021 will hold, history is a strong indicator that attackers will continue to refine their methods to take advantage of global events and adopt new technologies. I believe that we will learn from the challenges that 2020 brought in order to make the changes needed for a stronger, more secure world. I also hope that everyone has a safe and joyous holiday season and a prosperous New Year.

18 Dec

4 Min read

History has an Echo

December 18, 2020 Nok Nok News 0 comments

In 1876, the first telephone call was made. The technological principles of the telegram – allowing for instantaneous communication over long distances – were deployed at a massive scale to allow for advanced, personal communication to be deployed in every home. The leap from dots-and-dashes to voice-and-sound took 32 years (Samuel Morse sent his first telegraph in 1844). By the late 1890s, 20 years since Bell asked Mr. Watson to join him in his lab, the sky of New York City had been blotted out by the ill-conceived, inefficient infrastructure built to deliver these services.

History, it seems, is not without an echo.

It was roughly 30 years between the invention of the computer password to the wide scale adoption of the internet. In the intervening 20 plus years, digital accounts have proliferated much like phone numbers in the late 1800s. And again, an ill-conceived, inefficient infrastructure threatens to blot out the sky.

In the near future, each household will be managing around 50 connected devices. 5G will drive a wave of innovation powered by new ideas about what we can do with all of that bandwidth and connectivity. The problem with technological waves is that the mental framework, the mindset that governed the prior generation of technology is slow to die. Therefore, we will find ourselves overrun with password fatigue, dreaming of the day we could see the skies through all of the password-lines.

But we will evolve. We have to. Our current mindset and methodology just doesn’t scale. The problem of digital identity will need to be solved.

First, in the next 1 to 5 years, passwords will become the “additional” factor, rather than the primary one. Other strong signals – like device data, physical and behavioral biometrics, or a second trusted device – will become the primary. We have already seen these trends in Apple products, like using the Apple Watch to unlock your MacBook, or the nigh ubiquitous fingerprint sensors. Soon the password will primarily be used as the method of “step-up” authentication.

Between 3 to 8 years from now, passwords will be fairly rare. Authentication will still be between a service provider and their customer, but the customer experience will be dramatically different. Companies will rely – primarily – on technologies like FIDO that provide cryptographic verification of identity. These will continue to be augmented by risk engines to discern identity. The industry will begin to see the emergence of “trusted identity providers” – an evolution of today’s social login features and password managers. These companies will provide users with the ability to log into their multitude of profiles with a single click. But the scalable attack of a breached username and password database will no longer be possible. This new paradigm will not be reliant on shared secrets.

5 to 10 years from now, you will see identity becoming its own segment of the mobile ecosystem. Not as service providers licensing products – but as organizations that share pieces of information at a microtransaction level that is so small as to stay unprofitable. When the user opens an application, it will query a network of participating companies (possibly over a blockchain or similar technology) asking “Who is there?” Tiny pieces of information will all coalesce to reveal the true digital identity of the user. Just in time and only what the application needs. All of this in a privacy preserving manner with user consent and transparency.

These predictions are not revolutionary. We have the technology that can perform all of these actions. What will be revolutionary is the business model that sees them coming to fruition. There must be an incentive, a reason for these claims to be harvested, recorded and shared. It cannot be a single entity. Each service provider will be interested in different parts of my digital profile and should only need to pay for what they need. This solution will need an ecosystem to support it.

Pasts Echo will continue to reverberate. Just as we evolved from the telephone poles and over the air wires in New York to a world with underground fiber and wireless communication – we will see big changes in our identity infrastructure as well. Identity discovery will no longer be through One-to-One connections. Instead it will be over Identity networks that are very secure and part of the invisible fabric that makes the Internet.

13 Nov

3 Min read

Passwordless authentication becomes a reality, really

November 13, 2020 Nok Nok News 0 comments

Passwordless authentication has finally come of age. The final piece of the puzzle is what is happening at Apple and their support of the various FIDO2 standards, including adding the Web Authn protocols to Safari running on iOS v14 devices. These protocols are useful, because web application servers can integrate with strong authenticators already built into devices, such as Apple Touch ID/Face ID, Android and Windows Hello. This means that these servers can authenticate the user without directly receiving any private keys or any shared secrets. One of the largest MNOs NTT DOCOMO in Japan already deploys actual passwordless apps.

Before Apple’s implementation, there was ubiquitous support for FIDO across native mobile applications on Android and iOS devices, but not for browser applications. Microsoft, Google and Firefox Mozilla added FIDO support for browsers but, without support in Safari, there was a gap to achieving passwordless. Many organizations were waiting to see if Apple would jump on the bandwagon.

Why is this particular Apple implementation important? There are several reasons. First, biometrics are now used by more people and found in more phones than ever before. Duo reports in a 2019 survey that 77% of smartphones have biometrics configured. Next, before FIDO2 you had to combine device firmware with specific software and an app that was written for this task. Now you have a standards-based approach that will work with any of the major browsers in any context. It also means that finally we can ditch our one-time password apps on our smartphones (such as Authy, Lastpass and Google and Microsoft Authenticators) and your HW OTP Tokens and just use the phones themselves as authentication devices. Finally, this makes FIDO passwordless logins the most secure mechanism of authentication and also the easiest to use. We no longer have to ask users to trade off usability with security: they can have both.

Certainly, there have been other passwordless applications outside of the FIDO effort, as mentioned in this piece in CSOonline. But all of these share common drawbacks: they are vendor-specific, they require special code to integrate with their authentication servers, they make use of existing authentication smartphone apps or they haven’t been tested at the scale that can be used by global enterprises. Speaking of which, FIDO implementations are being used today by millions of users, and they also save time and frustration. Intuit found that their FIDO-enabled mobile app had three major benefits: it cut down on phishing attempts, reduced by 20% the login times for users, and improved by 6% the number of successful logins. They are working on integrating FIDO into their websites’ logins.

Passwords are painful, no doubt. We have too many of them to easily remember, and the number of multi-factor solutions have usability compromises that require a security expert to explain and deploy. It is time to take advantage of FIDO and it is timely that we have the support by Apple of WebAuthn. This could well be a watershed event for mobile ecommerce, making a big incentive for using your smartphone for making online purchases. No more having to download an app for buying from an online storefront when you can just use your browser on iOS, Android, or Windows. You have a simple login and you can get better security than you had before.

29 Oct

5 Min read

Death Due to Cyber Attack Has to be a Wake-up Call

October 29, 2020 Nok Nok News 0 comments

A tragic milestone has been crossed this year. While, yes, the tragedies do seem to be manifold – one tragedy in particular stands out in our field. The first death linked directly to a cyber attack.

Earlier this year, in Dusseldorf, Germany – not three hours from my home – a ransomware attack crippled a hospital’s systems, requiring all ambulances to be rerouted to other emergency rooms. One ambulance, however, did show up at the targeted hospital with a patient in critical condition. The patient did not survive the rerouting to an alternative facility.

This is tragic. Threats in the digital world have made the jump to the physical. The threat to people is no longer theoretical or about personal inconvenience. They are no longer about a simple rejection of a fraudulent payment. Unfortunately, the threats seem to be multiplying.

Since the beginning of the COVID-19 pandemic, online crimes have roughly quadrupled.While hospital in Dusseldorf may not have been the the intended target, hospitals are quite vulnerable. In 2019, it was reported that 84% of hospitals didn’t have a full-time cybersecurity employee. The same report noted that, between 2016 and 2018, one-third of hospital executives purchased cybersecurity tools “blindly without much vision or discernment.” Meanwhile, healthcare organizations spend more than all other sectors on data breach recovery.

It is a mixed blessing, then, that internet-connected devices – the internet-of-things (or IoT) – have been a boon to the healthcare industry. Doctors and employees use smartphones, tablets, laptops and digital assistants already. There is growing connectivity among diagnostic and imaging equipment, surgical robots, wearables, intelligent equipment and countless wireless sensors. There are bluetooth enabled weight scales and blood pressure cuffs that track symptoms for cancer patients. There are glucose monitors that improve the quality of life for diabetics. Apple’s ResearchKit simplifies the daily diary process for those who suffer from Parkinson’s Disease – helping both the patient and providing valuable data to assist in research. Even your smart refrigerator could send relevant data back to your doctor about your diet.

All of these innovations have been a net-benefit for the quality of healthcare that we receive. Alan Mihalic, president and founder of the IoT Security Institute, has noted that “with all this data, can look at how to improve their service and lower the cost to deliver that service. But moreover, it’s a question of moving from a reactive to a proactive healthcare model.”

With all of these new devices, coming from different manufacturers, installed and run by smart medical professionals who may or may not have IT security experience – it’s no wonder that the hospital’s attack surface has grown immeasurably in the last few years. 92% of the purchasing decisions regarding data security between 2017 and 2019 were made at the C-level and didn’t include the affected department managers nor the users that would be impacted by such decisions. Across the industry, there is almost no reliance on secure authentication – after all, the urgent nature of hospitals require a system that provides relevant information to an emergency room doctor on demand. Additionally, hospitals are notoriously plagued by budget constraints. Replacing or upgrading legacy software tends to come with a price tag leading to outrageous statistics like: 56% of healthcare providers still use Windows 7! What money there is for IT is usually not earmarked for security. 90% of institutions report that their security budgets have remained level or decreased since 2016.

But what can be done about it? It is vital to be aware of current best practices.

In 2019, the National Institute of Technology Standards (NIST) published a report, NISTIR 8828, detailing “Considerations for Managing Internet of Things Cybersecurity and Privacy Risks”. In it they highlight three high-level methods of mitigation. Simply put, they are:

Protect device security.
Protect data security.
Protect individuals’ privacy.

Those responsible for outfitting and managing a hospitals IT infrastructure need to be thoughtful about the way in which they incorporate connected devices. Mitigating cyber risk is crucial for any industry, but there is no room for error in healthcare. The rapid shift this year to remote work has opened a significant number of vulnerabilities for hackers to exploit. Unfortunately, fixing vulnerabilities is much more difficult than it sounds, especially for an always-on operation like a hospital.

But it is possible to start at the beginning. Authentication – the process by which we gain privileged access to devices and records – that can be secure, frictionless, interoperable with other devices and based on industry tried-and-tested standards can begin to close the gap in these vulnerabilities. Unfortunately, it would require challenging the status quo – a status quo that carries with it significant inertia.

But, with human lives at stake, it is clearer than ever that the status quo is not good enough and needs to be challenged.

As this is cybersecurity awareness month, let us all take a moment to consider our underlying assumptions and where we might be able to improve them. IoT devices in healthcare can provide significant improvements in how patients are treated and how research is done. But it needs to be protected and “good enough” security of the past is simply not good enough anymore. At least, it wasn’t for that patient in Dusseldorf.

08 Oct

4 Min read

Cybersecurity is a Personal Responsibility

October 8, 2020 Nok Nok News 0 comments

This month is National Cybersecurity Awareness Month. Let me be blunt. If you don’t think you are responsible for cybersecurity – you are wrong.

Think about the footsteps you leave in the digital sand, your digital persona, information that you would consider private, valuable and vital. Now, think about how those bits and bytes of data can be used against you, can be taken from you and put to serve nefarious purposes. This is not a science fiction dystopia – this is our world.

To illustrate, let me paint a picture. You have a doctor’s appointment. You show up to the office and check-in on your smartphone, confirming your identity, the time of the appointment and the ailment for which you are being seen. You sit down and – while waiting – you open up your social media platform of choice to pass the time.

Your social media profile lists your friends, their birthdays, the things you like, your political preferences and on and on and on.

While browsing, an ad is presented for something you’re interested in. This ad was served up based on your interests, browsing history and ads that you have clicked on in the past. As such, you are very interested in what is being offered, but you aren’t sure if you can afford it. So before you buy, you open up your banking application to check your balance.

The banking app shows you your current balance in your checking account, your savings account, how much you owe on your credit cards, a long list of recent transactions, where and for how much they were for. You see you have enough for the purchase, flip back over to the advertisement and buy the product. You get called into the office for the doctor and a few days later, your package arrives at your door.

Simple, right? Amazing. It’s the miracle of the modern age.

Now, imagine going through all of that – but rather than it taking place on the privacy of your own screen, it is over the phone and the phone is on speaker. Your ailment is announced to the waiting room. As are the names of all of your friends and your political preferences. Your interests – both private and public – are announced and the things that you want to buy become public knowledge. Your bank account, recent purchases, credit card number and debt are also provided to anyone within the sound of your voice.

Without encryption, without security, without paying attention to the way in which your data is hoovered up, collected and distributed – any passing person who speaks binary can steal, copy, exploit and change your personal information.

That is why this month is important. Your data is YOUR data. It is vital that you are aware of how to protect it. If you have a device that connects – it needs to be protected and YOU are the one responsible for making sure that happens.

This month we look forward to having unfiltered conversations about cybersecurity. We will post our thoughts on how the pandemic has changed the concept of secure perimeter-based security, how the proliferation of small devices connecting to the greater web – as valuable as they are – has increased the attack vectors that we need to monitor and where we all may be headed in the future.

We invite you to join us in this discussion. But even if you don’t, we compel you to remember: The most important person responsible for your cyber security is you. Take that responsibility seriously.

21 Jul

5 Min read

Going Beyond the Standard

July 21, 2020 Nok Nok News 0 comments

It is not a surprise to say that passwords are broken. They were not designed to secure today’s connected economy. As an inventor of FIDO standards, we knew that the key to replacing passwords was a privacy-by-design specification that championed interoperability and decentralized the security topography.

The Nok Nok™ S3 Suite goes beyond the standards. It is the most widely deployed FIDO-certified solution on the planet. It has powered billions of consumer authentication events for banks like BBVA and Standard Bank, for telcos like T-Mobile and NTT DOCOMO, and for a variety of other industries like physical security, government and insurance. We have deployed the Nok Nok solution, at scale, more times than any other purveyor of FIDO certified servers. Our level of experience delivers a better product, a better team, a swifter and more stable integration, and a collection of benefits we are excited to share in this new release of the Nok Nok S3 Suite.

Adaptive Policies
Existing authentication systems are robust – but most have been deployed using username and passwords as their foundational layer. We know that passwords do not make a firm foundation. In order to shore up that weakness, new systems have been bolted on to make the passwords more complex, to ask personal questions, to generate and distribute one-time-passcodes or harvest device details in order to lower the probability of fraud (just a little!). Risk-engines were devised to collect and analyze these data points. Regulations have been created mandating the use of these additional methods. As we move into a passwordless future, some of these requirements persist and will still be needed.

With the Nok Nok S3 Suite you can power large scale passwordless deployments – deployments which can be paired with existing risk engines, behavioral biometrics, or other systems. With our new release, we simplify the integration and add an engine capable of dynamically adapting to the context of an authentication event. This allows our customers to select appropriate risk factors and implement them without writing a single line of code. By including authentication context, we help enable compliance with the requirements of PSD2 SCA, and other privacy and security regulations. The new, simplified integration accelerates time to deployment and provides the tools necessary to address the most pressing financial industry requirements.

Expanded Device Support
Since the beginning, FIDO standards have been about interoperability. We worked tirelessly in the early days to make sure the standard integrated with handset manufacturers like Fujitsu and Samsung, secure silicon providers such as Qualcomm, and authentication providers for facial and fingerprint recognition. Nok Nok was the first to bring FIDO authentication support for the Apple Watch and today we are happy to let you know we now also support WearOS (formally Android Wear). But our work is not done. As new devices and solutions come to market, we are eager to expand our support and bring more choices to the consumer. Through our API and SDKs, the same user experience and security can be provided, regardless of channel or device.

Nok Nok™ Quick Authentication
Bandwidth is crowded, especially now that more of us are online with multiple devices. Phones are connected to earphones, watches, computers and more. Each wireless interaction carries a network cost and introduces delay and latency to the customer experience. Some networks are not as robust as others and this inconsistency of experience can create frustration and friction for users.

Following our history of designing “beyond the standard”, today we are introducing Quick Authentication with this latest release. Nok Nok™ Quick Authentication performs secure FIDO authentication in a single network round trip. Organizations can now significantly reduce their network traffic. End-users get both speed and security with this update.

Going Beyond
While FIDO standards are a leap forward towards a passwordless world, the Nok Nok S3 Suite takes you there and beyond. Our latest technology is built to address the authentication needs of companies wrestling with regulatory complexity, without adding friction to the user experience. Customers expect privacy, and regulations – such as CCPA and GDPR – have strict rules and significant penalties for privacy violations. The Nok Nok S3 Suite eliminates the need to centrally store biometric customer data for authentication and – as mentioned – it follows a privacy-by-design approach. With strong, multi-factor authentication, the ability to comply with FFIEC, PSD2 SCA, HIPAA and other regulations is enabled. In addition, support for EMVCo 3DS2’s requirement for transaction confirmation of high value transactions is already included.

We view authentication as the front door to the connected economy. That door should be frictionless, yet secure. It should provide the security an organization and regulatory body requires while not turning away the end-user. We have deployed our solution to customers with tens of millions of users and we know how to build and integrate a scalable solution.

Simple. Secure. Scalable – was what we committed to 8 years ago and what we continue to deliver today.

For more information on the Nok Nok S3 Suite reach out to our team who will be happy to answer any questions.

26 Jun

3 Min read

Still not a FIDO believer? Apple Just Made a Big Bet

June 26, 2020 Nok Nok News 0 comments

It’s been an exciting week as Apple has once again shown its commitment to stronger, standards-based authentication by adding support for Web Authentication Platform Authenticators to iOS, iPadOS, macOS and Safari. With browsers like Safari allowing their users to leverage Face ID or Touch ID based platform authenticators to log in to websites, the final puzzle piece in the authentication game is in place!

It is great to see how quickly Apple has added support for FIDO to their platforms – allowing their users to leverage strong passwordless FIDO authentication. Furthermore, the move by Apple means that users can take advantage of Nok Nok’s passwordless authentication directly in browsers running on iPhones, iPads and Macs going forward, meaning Nok Nok’s reach on mobile browsers increases to approx. 70%.

This milestone has been a long time coming, arriving on the heels of massive momentum for FIDO:

In late 2019 as part of Safari 13, Apple announced support for Web Authentication when using FIDO Security Keys, i.e. the ability to use hardware tokens for strong authentication. These FIDO Security Keys are often deployed by enterprises for workforce authentication.

In February of 2020, Apple joined the FIDO Alliance, which was seen as a public commitment to FIDO and it fueled the expectation of full FIDO support on Apple devices soon.

For large scale customer authentication deployments, however, the first 2 steps didn’t have a significant effect in practice as most customers don’t carry FIDO security keys with them.

The recent announcement to add “Web Authentication Platform Authenticator” to Safari 14 addresses this important use case.
Today, passwordless customer authentication is already practical in Mobile Apps running on Android or iOS devices and in Web Browsers running on Windows 10 PCs and Android smartphones.

Once Safari 14 is shipping and users have updated to this version of Safari, FIDO passwordless authentication can be used on iOS, iPadOS and macOS powered devices – expanding FIDO support to all major platforms – a significant milestone towards a new more secure modern authentication framework for today’s digital world. With coverage across all major platforms, and the many benefits of moving off legacy authentication, there is no reason to wait to embark on your passwordless journey.

And with Nok Nok’s certified Universal Server, organizations can perform and manage FIDO passwordless authentication across all platforms, even including Smart Watches, through a single developer API. The Nok Nok S3 Authentication Suite supports all verification steps mentioned in Meet Face ID and Touch ID for the web – WWDC 2020 – Videos and it supports many more features to make passwordless authentication easy for organizations to deploy.

Contact Us

Latest Posts

Navigation

Please complete this form to view and download this resource.

Contact Us

Contact and Subscribe

Latest Posts

Navigation

Please complete this form to view and download this resource.

Submit to Download Forms