15 Mar

4 Min read

When Securing Transactions, Global Experience Gets it Done

March 15, 2024 Nok Nok News 0 comments

In today’s digital age, banking apps on mobile devices have become ubiquitous, offering convenience and ease of access to financial services. With more than half of Generation Z, Millennials, and Generation X favoring mobile banking apps, it’s evident that traditional brick-and-mortar banking is rapidly being replaced by digital solutions. However, as the adoption of mobile banking apps continues to soar, ensuring robust security while maintaining a seamless user experience has become of paramount concern for banks worldwide.

To address these challenges, banks are turning to advanced technologies such as FIDO (Fast Identity Online) and WebAuthn (Web Authentication) to revolutionize payment authorization processes. It’s crucial to understand how these technologies are implemented, especially considering the differing approaches between the United States and the European Union.

In the United States, the emphasis is on leveraging biometrics within banking apps to streamline payment authorization. Users can authenticate using biometric features such as fingerprint or facial recognition, eliminating the need for cumbersome password entry. However, for online payments, the reliance on risk analytics and SMS one-time passwords (OTPs) has resulted in high rates of card-not-present fraud and false declines. The use of SMS OTPs often leads to user friction and increased abandonment rates, as customers are required to switch contexts or even use a second device. To combat these challenges, Secure Payment Confirmation (SPC) has been introduced, built on top of FIDO/WebAuthn to provide a phishing-resistant credential for authorizing online transactions with a single gesture, be it biometric or PIN. This approach significantly improves conversion rates, reduces fraud, and minimizes false declines, ultimately enhancing both security and user experience.

On the other hand, in the European Union, banking apps also utilize biometrics for authentication, mitigating the need for password entry and enhancing security. However, the approach to online payment authorization differs, with push-to-app being the preferred method. Users are required to switch to their banking app to approve payment transactions, introducing friction and potentially increasing abandonment rates. Despite the use of biometrics within the banking app context, the past impracticality of biometrics in the context of merchant apps – especially web apps – has limited its widespread adoption. Additionally significant is that there is a lack of integrity protection for web apps – with this, implementing “what-you-see-is-what-you-sign” directly in web apps is not possible today. To address these challenges, Secure Payment Confirmation (SPC) is employed on top of and leveraging FIDO/WebAuthn to provide a phishing-resistant credential that is triggered by the merchant’s app or by the issuer’s access control server (ACS). This approach improves conversion rates by simplifying the payment authorization process while maintaining robust security measures.

In both regions, the adoption of FIDO/WebAuthn-based solutions marks a significant step forward in enhancing the security and usability of payment authorization triggered by web apps or by an ACS. By providing users with seamless and secure authentication methods, banks can instill trust and confidence while fostering greater adoption of digital banking services.

As the banking industry continues to evolve in the digital era, it’s clear that innovative technologies will play a crucial role in shaping the future of financial services. By prioritizing security and user experience, banks can position themselves as leaders in the digital transformation of banking, driving greater customer satisfaction and loyalty in an increasingly competitive landscape.

When banks need to implement Secure Payment Confirmation (SPC) requirements, partnering with trusted FIDO vendors like Nok Nok who have experience in both US and EU payment security can ensure the successful implementation of this technology. Nok Nok’s ability to demonstrate a large user base employing various authentication protocols to produce cryptographic evidence further solidifies its position as a reliable partner in enhancing the usability for secure online payments.

16 Aug

3 Min read

Biometrics Is A Better Security Solution

August 16, 2022 Nok Nok News 0 comments

Digital security is becoming a growing concern, not just for businesses that want to protect sensitive corporate data but for private individuals that rely more on online interactions for major activities, such as financial and personal banking transactions. Integrating online transactions into everyday life has created more convenience for enterprises and people. Accessing data—whether corporate or personal finances—from any online device at any time or location makes everything much easier.

However, this comes at the cost of traditional legacy security measures failing to provide adequate protection. Traditional security measures like a single password are too vulnerable in the modern online age. Before, knowing a password was just one more requirement, besides accessing the right device in the right location, so the password itself was part of an analog multifactor authentication process with other requirements.

Today, however, a single password can grant someone on the other side of the world access to confidential data or personal funds using their own phone, laptop, or computer as long as they have correctly guessed or stolen a password from someone using social engineering techniques. The convenience of a password is now also its greatest security weakness.

Biometric Authentication Bring Better Security

Biometric authentication is something many people are already familiar with. Rather than requiring people to remember passwords or numeric codes, biometric authentication uses the unique identifiers of each person to grant access. The most common examples today are facial recognition, voice recognition, and fingerprint recognition, with many of these methods already used on phones and laptops.

Using biometric authentication or combining it with other multifactor authentication systems such as passkeys achieves two objectives simultaneously. Biometric authentication adds an extra layer of security that can’t be casually guessed at or counterfeited since it requires a considerable budget, time, and effort to mimic a person’s voice, face or fingerprint, thus providing too high a barrier of entry for the majority of criminals to make it worth it. The second objective is that this eliminates the need to use passwords at all, which can make for a faster, more convenient form of security access, in addition to being more secure.

All of this is now being optimized and standardized by the Fast Identity Online Alliance, or FIDO, which aims to make it easier to implement FIDO-based systems into any business setting to protect both enterprises and their client or customer data. If you’re ready to improve your digital security and want more details about FIDO-based passwordless authentication systems, read here to learn more.

04 Mar

3 Min read

Key-based Biometric Authentication: Addressing Fraud Through Modern Security

March 4, 2022 Nok Nok News 0 comments

Technology offers convenience. That cannot be denied. Recent years have proven how beneficial the Internet and smart devices can be in making various activities easier. A good example of this is online shopping. In the United States alone, more than 70% of residents have switched to online shopping in 2021 driven in part by changes in consumer purchasing behavior due to the Covid pandemic.

Cyber Attacks: Fighting Risks

With the rise in the number of E-Commerce users come risks in security. Add to this the increase in electronic payment use for various transactions, including P2P payments.

Today’s new trend in Trust and Safety means institutions that have been strengthening cyber security for their own enterprise benefit, are now starting to focus on protecting end-users and their data.

One way of doing this is by adopting modern authentication and security measures like FIDO-based biometric authentication. Generally, this type of user-centric authentication involves cryptographic keys and biometric methods including fingerprint use, voice authentication, and facial recognition, among others. In FIDO-based biometric authentication, user biometrics are under the control of the user and are never passed or stored by the enterprise.

Having modern authentication and security measures can prevent 80% of successful cyber breaches that according to Verizon’s 2021 annual security report, start with a man-in-the-middle or phishing attack, resulting in account take-overs, which are serious issues worldwide.

In the U.S., online fraud attempts involving card payments increased by 23%. The Feedzai reported that during the second quarter of 2021, 93% of banking fraud occurs online and 83% of card fraud was done online.

Purchase scams accounted for the top scam during the quarter based on volume. These happen when consumers are charged for products or services that they will not receive.

Among other scams that are common during the period is SMS phishing or what some call smishing.

Taking the Right Step With Biometrics

Modernizing the security of identity verification for online transactions and interactions is also a must. The best way to do that is by implementing FIDO biometric and key-based authentication. With this modern authentication and security, it is harder for bad actors to get access to accounts and data.

This is especially crucial for financial institutions. Protecting cyberspace will also protect user data and assets.

That said, shifting into and implementing FIDO key-based identity and authentication can be a bit challenging for beginners. So, it may help to work with a reliable industry expert like Nok Nok that has already built a key-based identity and biometrics authentication platform trusted by some of the biggest banks, telcos and financial services brand in the world.

Nok Nok is a member of the FIDO Alliance and is an industry leader in the application of this modern security technology . Nok Nok also founded the association at the forefront of the fight against cyber threats and the over-reliance of people on passwords and other legacy knowledge-based authentication methods. In fact, the company offers multiple fast identity and passwordless authentication solutions like the incorporation of biometrics authentication including passwordless biometric authentication into consumer IoT devices.

You can check Nok Nok Products to find out more about multi-factor authentication and determine what is the best solution for your clients.

27 Aug

4 Min read

The “Anti-Pattern” of Server-Side Biometric Secrets

August 27, 2019 Nok Nok News 0 comments

The Guardian and Forbes reported that researchers traced a massive leakage of 28 Million biometric and personal records to a company whose products are used worldwide for physical access control to a UK based company. The leak included centrally stored fingerprint, facial recognition, photos, unencrypted usernames and passwords, logs of facility access, security levels and clearance and personal details of staff and comprised over 23 gigabytes of data. The breach reinforces the problem with server-side biometrics and adds to a series of such prior breaches such as the OPM data breach that leaked the biometrics and personal information of US Govt. employees.

This leak points to an “anti-pattern” that security professionals and corporations should understand clearly. A pattern is an idea of how to solve a problem within a class of problems, that repeats itself. An anti-pattern is an idea of how not to solve it because implementing that idea would result in bad design.

The old proverb goes, “Why did Willie Sutton rob banks?….because the money was there!” Biometrics that are transported and aggregated centrally on the server for storage and matching are the worst kind of anti-pattern. They create stores of secrets on the server-side that are attractive for hackers to breach. The possibility of a scalable attack is large, the economic returns are very attractive, and remediation is very complicated.

By contrast, biometrics that work only on your personal device and are never shared, stored or matched on the server are an effective and secure pattern. By distributing the sensitive information and protecting it with extraordinary security, there is no central repository to attack. In other words, Willie Sutton would be out of business as a bank robber and instead be reduced to trying to pick pockets – not a scalable endeavor.

Apple, Samsung and others have proven that by distributing and localizing biometrics to a personal device that is in your control and by placing extraordinary controls around the biometric capture and matching, you can use biometrics as an effective secure pattern. In this case, the data is distributed, and you can at best try a targeted attack on individuals, one at a time – even that is so difficult that the economic incentives are not attractive.

Nok Nok Labs believes deeply in the idea that for privacy, security and the prevention of catastrophic failures like the breach above, corporations should only use the client-side-only biometric pattern as implemented by reputable vendors. We believe this so deeply that we incorporated this as a basic design principle in the creation of the FIDO protocols at the FIDO Alliance that we founded in 2013. The protocols created a more resilient distributed security pattern and are backed today by industry leaders such as Google, Microsoft, Intel, ARM, Samsung, Lenovo, VISA, MasterCard and others who have joined the alliance.

The FIDO protocols represent a good pattern to solve the problem of server-side secret aggregation. Users can leverage a method of authentication that is natural and convenient such as the client-side-store-and-match biometrics on a personal device including a phone or a physical token such as a USB or Bluetooth dongle. The standard ensures that there are no aggregations of secrets (as would be the case with passwords) and is designed to mitigate scalable attacks of all kinds such as phishing, interception by Man-in-the-Middle or compromises of a central repository of passwords. Developers get a simplified interface to implement this, and operators can rely on a single backend infrastructure regardless of device, method of authentication or security requirements. In other words, the standard ensures simplicity for the user, developer and operator.

It’s a well-kept secret that FIDO is already deployed widely and used daily by nearly a billion users at major brands such as Intuit, Bank of America, T-Mobile, Cigna, Google and Microsoft in the US and across Asia at DOCOMO, Softbank, Yahoo! Japan, and some of the largest banks in the region. It is expected to be deployed by most forward-thinking brands by 2020.

11 Aug

5 Min read

Mobile Security Arms Race: FIDO2, Stronger Biometrics, and More

August 11, 2018 Nok Nok News 0 comments

Support for on-device biometric authentication has greatly enhanced the security of mobile devices. Mobile devices come with a variety of biometric mechanisms, but they may vary in their efficacy and security levels. Recognizing this, Google recently announced they are refining the way Android differentiates between weak and strong on-device biometrics. Android will adopt new metrics that provide an objective assessment of the ease of circumventing the biometric. For example, let’s consider voice authentication. How easy is it to bypass the biometric using a voice recording or doing your best voice impression? For face authentication, can you fool it using a picture or a silicone mask created from a 3D printed mold? By factoring in these additional metrics, Google is raising the bar for biometrics.

It’s important to recognize that not all fraud is necessarily malicious in nature. In 2017, 86% of all chargebacks were probable cases of “friendly fraud”. Biometrics can be a source of friendly fraud, for example when multiple people have enrolled their fingerprints on a shared device. Early on, Nok Nok Labs worked with authenticator vendors to pioneer concepts for friendly fraud protection. Some of these concepts were incorporated into FIDO and made their way into mobile platforms, available to all apps, while others remain a proprietary part of our solutions and IP portfolio.

In the previous blog, we talked about FIDO protocols and how it makes it possible to deliver strong authentication to users at population scale and changes the economics of authentication. One of the FIDO protocols is called FIDO2, and Android now comes with native FIDO2 APIs. This means you can build FIDO2 into your native Apps, and Web Apps can use FIDO2 in browsers. By providing FIDO2 support, Android greatly reduces the chance of account takeover and scalable attacks such as phishing as compared to passwords.

Another security concern on mobile devices is how private keys are protected on the device. Strong authentication relies on keys, and many Android devices can store and process them in a protected part of the main processor called the Trusted Execution Environment (TEE). In this way, malicious software cannot access the keys. However, storing keys in a separate chip could add security beyond TEE, although this is not always the case depending on implementation. Some modern Android devices contain a security chip called a Secure Element. Nok Nok Labs worked with security chip vendors and also with Telecom companies to build this capability for certain devices. Now, in Android P, this feature, known as StrongBox, is generally available.

Storing keys in hardware is important, but how does your backend know that it was stored in hardware? Nok Nok Labs developed the concept of attestation which provides cryptographic proof that a key has the protection of hardware. This capability is built into the FIDO protocol, and it is supported natively in Android. Nok Nok has also helped design and implement metadata services for attestation, a subject we will visit in future blog posts.

To safeguard against account takeover, an app can get confirmation from the user for a high-value transaction. To make this work, the mobile OS needs to provide the ability to display a message to the user such that the message cannot be altered by malicious software. You can think of this feature as “what you see is what you sign”. A few years ago, Nok Nok Labs worked with TEE vendors to develop a proof-of-concept showcasing this concept. The notion of a tamper-proof transaction display is built into FIDO, and Google has built this into Android P, which can close out the possibility of phishing completely if correctly used with FIDO.

Although Android has been getting more secure over the years, progress has not been in a straight path, as seen here in this timeline of Android OS releases versus features:

Not all security features are released as part of the operating system. Android has another release vehicle called Google Play Services. The timeline below shows security features delivered this way:

Complicating matters, Android has introduced security features and then superseded them by newer variants, sometimes changing the way the underlying biometric subsystem works. Also, with the ever-changing threat landscape, the evolution of security on mobile operating systems will continue. As an app developer, it can be difficult to keep up with this fast pace of change. Using FIDO authentication is one way to address this dilemma. With FIDO, you don’t need to change your app or backend infrastructure to take advantage of the mix of security capabilities available now and in the future.

We have also seen a similar evolution—perhaps more linear and consistent—in Apple’s iOS. Nok Nok has been the first to adapt these new capabilities to deliver FIDO based authentication on Apple’s devices as a part of our commitment to deliver to authentication for any device, any authenticator.

You can try out Nok Nok’s S3 Authentication Suite, which builds on top of the FIDO standards now.

Try Now

10 Jul

4 Min read

What is the State of Biometrics?

July 10, 2017 Nok Nok News 0 comments

Each of these interactions, thanks to biometrics, can be accomplished seamlessly and without friction. Switching from a casual inquiry, to a personal, non-sensitive account, to a private, highly-secured account is accomplished with a swipe of a fingertip or by blinking into a camera. The advent and mass adoption of consumer-grade biometrics has drastically changed the expectations of the consumer. No longer are they required to create and remember a highly entropic code to use as a shared-secret, now they can simply look at a that sliver of glass and blink.

And this is only the first wave. As consumers are seeing multiple different modes of biometrics crop up on their iPhones and Samsung devices, older platforms are embracing the innovation as well – the W3C is working with the FIDO Alliance to integrate strong authentication – incorporating biometrics – into the standard web browser requirements, Microsoft’s Modern Keyboard will have a fingerprint sensor hidden in a normal looking key. The way in which we interact with our smartphones is becoming the way in which we interact with all computing devices.

This allows us to explore a new way of thinking about consumer-grade security. Rather than one large, all access door – we can introduce a multi-gate system where access to information or functionality at a lower level can be a simple fingerprint swipe, but higher levels of access require additional levels of proof of identity. Historically, a single password was the only thing necessary to access and approve all levels of a transaction–from seeing a balance, to paying a regular bill, to transferring vast amounts funds. Now, a fingerprint can be used to view an account balance, but a consumer would need a fingerprint plus a facial recognition scan to pay a bill or a fingerprint, face and voice authentication to transfer funds. Even in combination – the friction to the user will still be less than typing in a complicated password on a tiny touch-screen.

It is not just those engaged in the biometric field that feel that way. There are significant indicators from both the public and private market that show biometric adoption is increasing. Government organizations are issuing statements like the recent cybersecurity Executive Order in the US, PSD2 in Europe which focuses on financial organizations, the National Cyber Security Strategy out of the United Kingdom – all make specific mention of how to handle biometrics and what biometrics are good for. In the private market, we are seeing adoption from almost every vertical – from Mobile Network Operators, to Payment Providers, to Financial Institutions, even companies focused on the Internet of Things are looking for ways to include biometrics.

But there is still work to be done. While we have policy makers in the government like the National Institute of Standards and Technology issuing guidelines to embrace biometrics and deprecate other less secure methods of authentication – department heads, like those at the Social Security Administration, still cling to their outdated models of passwords, one-time-passwords, email resets and SMS messaging. There are still advocates for server-side biometric storage that refuse to learn the lessons of the Office of Personnel Management breach in 2015. Financial Institutions – while claiming to be centers of innovation – seem to be in a never ending cycle of evaluating and piloting without ever deploying. During all this time of debate and delay, the malicious actors out there are becoming more savvy, more experienced and are developing more sophisticated means of breaching newly deployed technology.

At the end of the day, the State of Biometrics is mixed – it is both the best of times and the worst of times.

Contact Us

Latest Posts

Navigation

Please complete this form to view and download this resource.

When Securing Transactions, Global Experience Gets it Done

Biometrics Is A Better Security Solution

Biometric Authentication Bring Better Security

Key-based Biometric Authentication: Addressing Fraud Through Modern Security

Cyber Attacks: Fighting Risks

Taking the Right Step With Biometrics

The “Anti-Pattern” of Server-Side Biometric Secrets

Mobile Security Arms Race: FIDO2, Stronger Biometrics, and More

What is the State of Biometrics?

Contact Us

Contact and Subscribe

Latest Posts

Navigation

Please complete this form to view and download this resource.

Submit to Download Forms