25 Aug

4 Min read

Next Level Metal Credit Cards

August 25, 2021 Nok Nok News 0 comments

Nok Nok & CompoSecure Partner to Take Metal Credit Cards to a New Level

By David Strom

I got my first metallic credit card from Apple a few years ago. I thought it was more a curiosity than anything else. Soon after, my wife got a metallic card from Chase. American Express and Discover have both been making metal cards for years as well. Now, thanks to a partnership between NokNok and CompoSecure, you will see new types of cards that have something besides their outer skin to offer consumers: the ability to include authentication tokens and cold cryptocurrency wallets. (More on that in a moment.)

These first metal cards are either loved or loathed, depending on your point of view. A brief and very unscientific survey among my Facebook friends brought up strong emotions pro and con: because the cards are thicker than plastic ones, they can be more difficult to remove from your wallet, but they also can be more durable. Some of my friends imagined scenarios where the sharp metal edges could be used in various Ninja moves, but these were more fantasies than realized.

Apple’s card – issued by Goldman Sachs – has the feature where every transaction uses a virtual credit card number. This is particularly useful for online payments. You can easily change this number in the Apple Wallet app. And the physical card itself doesn’t have any account number shown. All of this makes it harder for fraudulent transactions and cybercrime, which run more than $100Bn annually according to the IMF.

But let’s look more closely at the authentication feature. What Nok Nok has announced is the ability to share a FIDO-based digital key to serve as an additional authentication factor for multiple logins. Before FIDO, if I wanted to use multi-factor authentication, I had to carry around a set of hardware or software keys, one for each login. What if I could use my smartphone, working in conjunction with my smart credit card, to accomplish a truly passwordless login? That is the vision with the CompoSecure announcement. Consumers can authorize transactions via a variety of methods: a finger swipe, keying in a six-digit PIN, or tapping the card to their phone to enable an NFC-encrypted transaction.

What happens if your card is lost or stolen, along with your phone? Many of us, myself included, have forgone carrying a wallet and just have a couple of pockets on the backs of our phones for cards. The card – and for that matter, your phone is still protected by the PIN. And if you have set up facial or finger recognition on your phone, that will further protect any access if your phone is found. The idea is appealing: one less dedicated piece of hardware to carry around. As Nok Nok’s CEO Phil Dunkelberger said in this interview, “when you ask a customer to carry a separate device or a separate token, very few customers will be willing to go through that process.”

The cold crypto wallet feature is also interesting. What this means is that your crypto assets are not stored online, but on the device itself. These wallets have been available for several years, but again they are yet another thing to carry around and potentially lose. Having a wallet integrated into a smart credit card itself makes a lot of sense. CompoSecure is building this new card/wallet combination with its Arculus project, which should be out in beta later this year. If your card is lost or stolen, you will need to recover it with a series of passphrases (which hopefully you will not store in any online form). If you use a crypto exchange for your transactions, you can use your cold wallet to send or receive funds. Nok Nok said they will be supporting authentication on Arculus as well.

Using a metal credit card to serve as an authentication credential to secure transactions could be a way to move us further away from using insecure passwords, and marrying convenience and better security. I look forward to trying them out.

02 Apr

3 Min read

How BBVA is using FIDO to protect their customer accounts

April 2, 2021 Nok Nok News 0 comments

Does your bank still think using SMS one-time passcodes are the only additional authentication factors? Mine still does, and I wish I could easily switch to another bank that is more enlightened about their security, such as BBVA. This international bank, which has customers in Spain, the US, Mexico and South America, has been a big supporter of FIDO authentication protocols and uses the Nok Nok S3 Authentication Suite.

Banking is one of the last bastions of old world thinking when it comes to authentication. A quick scan of a directory of banks offering multifactor authentication (MFA) show that most are still stuck in the past. BBVA is the first Spanish bank that has adopted FIDO methods for its customers.

FIDO leverages existing biometric methods for authentication, such as fingerprint and facial recognition, that are built-into the more recent smartphones. This means customers don’t have to go through more complex procedures to secure their transactions. Customers can also quickly check to see which of their phones and laptops have accessed their account with a list of “my secure devices,” which is a quick way to find out who has been authorized to use your account.

Banks though should be more forward-thinking and embrace FIDO, especially those banks that are moving towards having a more capable digital footprint. There are three reasons: First, account takeover fraud is rampant and increasing. Phishing lures are getting better, especially during the pandemic where customers are not necessarily paying attention to dodgy Covid-related messages that could cause a compromised account.

Second, PSD2 regulations require better authentication methods. The latest version of the Payment Services Directive of the EU has created the strong customer authentication requirement for all customer-initiated online payments and bank transfers and the EU began enforcing this requirement last year. This means when a customer wants to transfer funds, for example, they would need to make use of MFA to authenticate themselves. FIDO is one of the easiest and most secure ways to accomplish this, and the Nok Nok tools can enable this “step-up” authentication to make it seamless for the bank’s customers.

This means that authentication is not just accomplished when a customer logs into their account but as needed to safeguard their activities and protect the high risk accounts with a more secure process. The beauty of FIDO is that this protection is delivered without putting an additional burden on the user.

Finally, SMS-based authentication is a security sinkhole and can easily be compromised. The record of various stories about these compromises goes back several years. Most recently was this piece in Vice that described how one third-party utility can be used to gain access to your SMS identity without any subscriber even knowing it has been compromised. Banks really shouldn’t rely on SMS for any authentication activity.

BBVA announced last year that they began deploying Nok Nok’s software across their customer base, and since then many of their customers are using FIDO to authenticate. “Traditionally, one of the biggest challenges of authentication systems has been to balance security with user experience. Due to the FIDO standard, we are confident that both elements work together seamlessly to provide customers with the highest security standards, along with a transparent and agile user experience,” says Juan Francisco Losa, BBVA’s Global Technology and Information Security Officer.

Nok Nok has numerous banking customers using their FIDO tools, including the Iceland-based Landsbankinn and the South African-based Standard Bank. Now if only I could get my own bank on board with FIDO.

04 Mar

4 Min read

Why Intuit picked FIDO

March 4, 2021 Nok Nok News 0 comments

One of the long-time FIDO supporters gave testimony to its biggest benefits at the recent Authentication 2020 conference. The speaker was Marcio Mello, who is the head of Product for Intuit’s identity and profile platform. The benefits are saving money and time when users have to login to their SaaS financial offerings from Intuit.

Intuit was interested in FIDO for many years, and at the beginning of 2020 rolled out a FIDO application for iOS users of TurboTax, its tax preparation package. Now, if you are like me and if you use some form of this software, your goal is to spend as little time as possible using it. When you are done with your taxes and file them with the IRS, you hope this is the last time you will ever see this software until next year. Well, that works against usability in a big way, because most of us don’t remember our account passwords. Mello reminded his audience of this fact: “We have yearly active TurboTax users,” he said during his presentation. “Our users don’t come back anytime soon, so often they don’t remember their account sign-in information and then have to hassle with recovering their accounts.”

This is a perfect use case for FIDO, and Intuit created a new process so they wouldn’t have any passwords to remember. Their goal was to require as few clicks as possible to sign in. “We didn’t want to remain the identity police because we had a poor user experience,” he said. “With the old pre-FIDO ways, users had a lot of data entry to key in. The faster we can get them into our app, the better for everyone. This is because we are all in this together for a passwordless journey. And it is a long-term journey, because it isn’t just offering a quick fix.”

Intuit evaluated various FIDO vendors and picked NokNok’s S3 Authentication Suite. As part of their evaluation, they ran various stakeholder education sessions with everyone that would be involved in the rollout. They approached the project by first building the user interface for sign on and account management, then did a phased launch with the iOS version of TurboTax. Their goal was to get rid of OTP SMS for sign ins. Here is a diagram from Mello’s talk that outlines how they intended to evolve their user interface and authentication policies.

He mentioned during his presentation that FIDO offered many benefits:

The ability to future-proof identity standards that are also scalable and customizable.
An opportunity to lower our operational costs.
Improve both security and privacy by having identity credentials that remain on your mobile phone.
Adding friction at the appropriate times when users are doing something riskier on their accounts.

That last point is an important one, because it is a sign of assurance and mutual trust. Before FIDO, there was friction all over the place, which promoted just the opposite intention. They intended to use a combination of visible and invisible signals for fraud detection such as user behavior as part of the authentication process, which is the last line on the chart above.

So what happened? Their results were impressive. They found that since the beginning of the rollout in January 2020, there was a 99% reduction in users having to recover their authentication details and a corresponding big reduction in support costs and phone calls. There was also a 20% improvement in successful sign-ins, when previously moving the needle 1% had proven to be very difficult. There was a 60% reduction in the time it takes to onboard new users through account creation on the iOS app. They quickly got 2/3rd of mobile app sign-ins via FIDO and 23% of their users are now totally passwordless. “It is only a matter of time before all of our users will activate FIDO biometrics on their devices,” said Mello. As part of the FIDO project, they have extended FIDO authentication to other Intuit apps. “One of the advantages of FIDO is that we can customize how the initial authentication dialogs are presented for each of our applications. It isn’t a one-size-fits-all anymore around here.” They are also working on extending FIDO authentication in their browser applications leveraging Nok Nok’s ability to support passwordless authentication across any touchpoint – mobile app, mobile web, pc web and even SmartWatches.

Contact Us

Latest Posts

Navigation

Please complete this form to view and download this resource.