16 Oct

5 Min read

Quantum is Knocking!

October 16, 2024 Dr. Rolf Lindemann 0 comments

Do you remember the movie Sneakers and the infamous black box labeled Setec Astronomy? That fictional device could decrypt any secret, an ability that seemed fantastic at the time. Now, quantum computers may turn that fiction into reality. These powerful machines have the potential to revolutionize our digital world, where nearly all internet communication is protected by cryptographic protocols like TLS, and our banking and payments systems rely on cryptography for card transactions and user authentication. We finally have arrived at the “too many secrets” moment hinted at in Sneakers.

Let’s dive deeper into what is driving this change, why it is urgent, and what lies ahead in this rapidly evolving space.

The Drivers

Cryptography enables us to securely encrypt information, ensuring that only authorized entities can view sensitive data, even when it is transmitted through public networks like the internet. It plays a critical role in remotely authenticating users and systems, as well as signing data to protect message integrity “at rest” and “in transit”. Essentially, cryptography is the security of the internet, since relying on dedicated communication lines without proper cryptographic protections is impractical.

Recent advances in quantum computing push the boundaries of what is possible – they are on the verge of surpassing classical computers. Certain complex problems that are challenging for classical computers can be solved more efficiently by quantum computers. The most notable example is SHOR’s algorithm, which enables quantum computers to factorize integers in polynomial time, where classical computers require exponential time. This is relevant for the RSA algorithm, which depends on the difficulty of factorization to ensure security. Note there are still (I should say: researchers believe there will be) problems which remain difficult for both classical and quantum computers, such as the “traveling salesman problem”. So in short, quantum computers are powerful, but not like the all-powerful “black box” decryption machines featured in Sneakers.

The Urgency

The NSA set 2035 as the deadline to transition to post-quantum cryptography (PQC) algorithms in national security systems. While not all systems are as sensitive as national security systems, this deadline serves as a good indicator for other industries to consider as well.

So why 2035? In the quantum computing world, performance is measured in qubits. In 2020, IBM predicted it would have a quantum computer with 1 million physical qubits by 2030. In 2023, IBM refined its projections with a more concrete plan to reach 100k physical qubits by 2033.

Current research suggests that 4,099 (fault-tolerant) qubits are sufficient to break RSA with 2048 bit keys – a widely used cryptographic algorithm today. This estimation assumes perfect fault-tolerant qubits. Since today’s quantum computers are very noisy, Quantum Error Correction (QEC) is required, and that adds a large qubit overhead, in the range of 10 – 100 or even up to 1000 physical qubits to implement a single fault-tolerant qubit. This means 40,000 to 4 million physical qubits are required to break RSA 2048. Based on current progress, experts predict that by 2035, quantum computers capable of breaking modern cryptographic algorithms such as RSA 2048 may exist. For context, quantum computers with 1180 physical qubits are available today, more than doubling last year’s 433 physical qubits limit.

While 2035 may seem far away, multiple factors drive a sense of urgency. In high security applications, cryptographic operations are often performed using hardware such as payment cards, hardware security modules, FIDO security keys, smartphones, and electronic ID cards. Hardware tends to have a longer lifetime than software. Especially devices like FIDO security keys and electronic ID cards that are expected to have a lifetime of 10 years, which means by 2025 there will be a demand for cryptographic hardware that is already enabled for PQC. While hardware devices, such as network communication devices or hardware security modules, might be able to add PQC support through firmware updates, others, such as FIDO security keys and electronic ID cards typically require hardware support that cannot be updated.

While it is sufficient to have PQC in place for signing and authentication use cases by 2035, encryption is a more urgent challenge. Known as “harvest now, decrypt later”, adversaries may be harvesting encrypted data hoping to decrypt it in the future using high-performance quantum computers. As a result, encryption solutions may need to be updated even sooner to mitigate this risk.

What Happens Next

NIST’s PQC project has made great progress with the publication of the first three PQC algorithms: FIPS 203, FIPS 204 and FIPS 205, and a fourth in the works.

This milestone provides the necessary clarity for protocol designers to add PQC to critical systems like TLS, FIDO, and payment networks. This in turn serves as the basis for security software products to implement PQC support.

For security engineers, especially those working on cryptographic hardware, this development is equally important. Hardware-level implementations require more lead time due to the complexity of securing firmware against side-channel attacks and other vulnerabilities. Designing, optimizing, producing, and certifying new PQC-ready chips requires more time and careful attention to ensure the security.

At that point we will see more proof-of-concept implementations and pilot deployments, eventually transitioning users to a new generation of cryptographic algorithms. In an ideal world users won’t even notice the transition and all the hard work that went into it.

As an inventor of the FIDO authentication protocol and a co-founder of the FIDO Alliance, Nok Nok continues to lead the way in supporting post-quantum cryptography. We closely monitor advances in PQC and actively help evolve the FIDO protocols to stay ahead of emerging threats. Nok Nok products are designed with built-in flexibility to support post-quantum cryptography, ensuring that our customers stay secure both now and in the future.

15 Mar

4 Min read

When Securing Transactions, Global Experience Gets it Done

March 15, 2024 Nok Nok News 0 comments

In today’s digital age, banking apps on mobile devices have become ubiquitous, offering convenience and ease of access to financial services. With more than half of Generation Z, Millennials, and Generation X favoring mobile banking apps, it’s evident that traditional brick-and-mortar banking is rapidly being replaced by digital solutions. However, as the adoption of mobile banking apps continues to soar, ensuring robust security while maintaining a seamless user experience has become of paramount concern for banks worldwide.

To address these challenges, banks are turning to advanced technologies such as FIDO (Fast Identity Online) and WebAuthn (Web Authentication) to revolutionize payment authorization processes. It’s crucial to understand how these technologies are implemented, especially considering the differing approaches between the United States and the European Union.

In the United States, the emphasis is on leveraging biometrics within banking apps to streamline payment authorization. Users can authenticate using biometric features such as fingerprint or facial recognition, eliminating the need for cumbersome password entry. However, for online payments, the reliance on risk analytics and SMS one-time passwords (OTPs) has resulted in high rates of card-not-present fraud and false declines. The use of SMS OTPs often leads to user friction and increased abandonment rates, as customers are required to switch contexts or even use a second device. To combat these challenges, Secure Payment Confirmation (SPC) has been introduced, built on top of FIDO/WebAuthn to provide a phishing-resistant credential for authorizing online transactions with a single gesture, be it biometric or PIN. This approach significantly improves conversion rates, reduces fraud, and minimizes false declines, ultimately enhancing both security and user experience.

On the other hand, in the European Union, banking apps also utilize biometrics for authentication, mitigating the need for password entry and enhancing security. However, the approach to online payment authorization differs, with push-to-app being the preferred method. Users are required to switch to their banking app to approve payment transactions, introducing friction and potentially increasing abandonment rates. Despite the use of biometrics within the banking app context, the past impracticality of biometrics in the context of merchant apps – especially web apps – has limited its widespread adoption. Additionally significant is that there is a lack of integrity protection for web apps – with this, implementing “what-you-see-is-what-you-sign” directly in web apps is not possible today. To address these challenges, Secure Payment Confirmation (SPC) is employed on top of and leveraging FIDO/WebAuthn to provide a phishing-resistant credential that is triggered by the merchant’s app or by the issuer’s access control server (ACS). This approach improves conversion rates by simplifying the payment authorization process while maintaining robust security measures.

In both regions, the adoption of FIDO/WebAuthn-based solutions marks a significant step forward in enhancing the security and usability of payment authorization triggered by web apps or by an ACS. By providing users with seamless and secure authentication methods, banks can instill trust and confidence while fostering greater adoption of digital banking services.

As the banking industry continues to evolve in the digital era, it’s clear that innovative technologies will play a crucial role in shaping the future of financial services. By prioritizing security and user experience, banks can position themselves as leaders in the digital transformation of banking, driving greater customer satisfaction and loyalty in an increasingly competitive landscape.

When banks need to implement Secure Payment Confirmation (SPC) requirements, partnering with trusted FIDO vendors like Nok Nok who have experience in both US and EU payment security can ensure the successful implementation of this technology. Nok Nok’s ability to demonstrate a large user base employing various authentication protocols to produce cryptographic evidence further solidifies its position as a reliable partner in enhancing the usability for secure online payments.

29 Jan

6 Min read

2024 Security Industry Predictions: Consolidation, ROI, and the AI Hype Train

January 29, 2024 Phil Dunkelberger 0 comments

2024 Security Industry Predictions: Consolidation, ROI, and the AI Hype Train

By Phil Dunkelberger

Why is the security industry still thriving, why do we have so many claiming to be the ultimate protector of your precious data? Maybe there is a reason why malware seems to be multiplying. In January 2020, just before the pandemic I was a guest speaker at CES, I talked about how in 2019 just over 8 billion devices connected to the internet. As of the end of 2023 that number has almost doubled to 15 billion devices. That is people and things connecting and accessing data – all of which need to be authenticated and protected. This is why phishing, malware and other bad actors make the security industry so necessary and important.

So, as we lean in into 2024, it’s time to see what might be in store for this ever-evolving realm of digital defense. Spoiler alert: it’s a mixed bag of consolidation, ROI pressure, AI hype, and regulatory crackdowns. While you may be looking for the silver bullet, there is no cure for constant vigilance training and awareness of security issues.

1. Further Consolidation? Groundbreaking!

We can’t avoid it, it is almost a constant now in our industry – consolidation. It’s like a never-ending game of cybersecurity Tetris, where the bigger players gobble up the smaller ones, and we all pretend to be surprised. What’s next? Well, expect even more consolidation (remember Symantec or McAfee), especially among companies dabbling in machine learning, AI, and encryption. First quarter of 2023 alone there were 10 announced consolidations! But what started out looking like a lot of activity, overall 2023 was actually a slow year for M&A in the security industry.

You see, there are so many of them out there, all claiming to be the superheroes of security. But here’s the rub: they often have overlapping technologies, creating a cacophony of confusion for customers. So, it’s survival of the fittest, and the biggest fish in the cyber-pond will swallow up the minnows. Just remember, when your favorite cybersecurity startup disappears, it’s probably because they got gobbled up by a larger fish. Bon appétit!

2. ROI: Prove It or Move It

So when the M&A market is slow, as a company you need to focus more on proving ROI so you can garner customers – the pressure is on. Gone are the days when a snazzy logo and some jargon-filled marketing materials were enough to convince businesses to part with their precious dollars for cybersecurity solutions. In 2024, the name of the game is “Show me the money!” or more accurately, “Show me the ROI!”

It’s not enough for companies to claim they can save you from cyber-calamities; they’ll need to demonstrate real-world results. No more smoke and mirrors, folks. Cybersecurity providers will be under intense pressure to prove the effectiveness of their solutions. Fancy algorithms and buzzwords won’t cut it anymore. If they can’t show how they’re actually preventing breaches or mitigating threats, they might as well pack up their snake oil and hit the road.

There will also be the need to demonstrate ROI across more teams within your overall organization. Gone is the day that the CISO alone can make the decision. With so many projects in motion with companies and security needing to integrate into almost every application – the “Prove it and Show me” tour internally is a longer road.

3. AI and Machine Learning: Hype and Reality in a Three Sided Coin?

AI and machine learning, the darling buzzwords of the tech world. Every cybersecurity company wants you to believe that they’ve trained an army of sentient robots ready to defend your data. But hold your cyber-horses, because in 2024, the AI hype train might just run out of steam.

Sure, AI and ML have their place in cybersecurity, but they’re not the magical panaceas some claim them to be. Their effectiveness needs to be proven in real-world scenarios, not just in glossy brochures. So, while companies will continue to ride the AI wave, users should keep their skepticism shields up. After all, no algorithm can replace good old-fashioned human vigilance and common sense when it comes to staying secure.

Be forewarned – AI is a three sided coin. There absolutely is benefit in AI that both the attacker and defender need to learn how to take advantage of – but it is the one who learns best to take advantage of the “edge” – finds the margin – that will win using AI in the security world.

4. Regulatory and Privacy Demands: Brace for Impact

Now, here’s the sobering part of our prediction party – on a global and regional basis. Brace yourselves for more regulatory and privacy demands in the cybersecurity landscape worldwide. Meeting regulatory requirements is no longer a broad checkbox item, it is regionally and vertically critical that security vendors address the regulations. As if navigating the labyrinth of cybersecurity compliance wasn’t already fun enough, we can expect even more rigorous standards and potentially more severe consequences for companies that fall short.

This too is not unlike the consolidation shifts we see every so often – this is a pendulum swing that follows the pace of new technology. We see AI burst onto the scene along comes regulation, some might call it a knee-jerk reaction but when you are dealing with personal identifiable information (PII) or corporate information – intellectual property (IP) – the road is complex. We have some examples that have helped along the way like PSD2, the FIDO standard and the recent introduction of passkeys. But there is a long way to go. Just as seatbelts (or airbags) didn’t stop people from being injured in car accidents.

With cyber-threats becoming more sophisticated and data breaches making headlines, governments and regulators need to be on top of the latest new technologies.. They want to ensure that companies take data protection seriously. So, don’t be surprised if you find yourself buried in a mountain of compliance paperwork and facing hefty fines for non-compliance. It’s the price we pay for playing in the digital sandbox, folks.

The security industry in 2024 promises to be a whirlwind of further consolidation, ROI scrutiny, AI skepticism, and regulatory headaches. As businesses and individuals rely more than ever on digital platforms, the pressure on the cybersecurity industry to deliver real, measurable results is mounting. While there may be challenges ahead, it’s all in the name of keeping our digital world safe. So, stay vigilant, demand proof, and keep your cybersecurity wits about you in this brave new era of digital defense.

26 Jun

3 Min read

Still not a FIDO believer? Apple Just Made a Big Bet

June 26, 2020 Nok Nok News 0 comments

It’s been an exciting week as Apple has once again shown its commitment to stronger, standards-based authentication by adding support for Web Authentication Platform Authenticators to iOS, iPadOS, macOS and Safari. With browsers like Safari allowing their users to leverage Face ID or Touch ID based platform authenticators to log in to websites, the final puzzle piece in the authentication game is in place!

It is great to see how quickly Apple has added support for FIDO to their platforms – allowing their users to leverage strong passwordless FIDO authentication. Furthermore, the move by Apple means that users can take advantage of Nok Nok’s passwordless authentication directly in browsers running on iPhones, iPads and Macs going forward, meaning Nok Nok’s reach on mobile browsers increases to approx. 70%.

This milestone has been a long time coming, arriving on the heels of massive momentum for FIDO:

In late 2019 as part of Safari 13, Apple announced support for Web Authentication when using FIDO Security Keys, i.e. the ability to use hardware tokens for strong authentication. These FIDO Security Keys are often deployed by enterprises for workforce authentication.

In February of 2020, Apple joined the FIDO Alliance, which was seen as a public commitment to FIDO and it fueled the expectation of full FIDO support on Apple devices soon.

For large scale customer authentication deployments, however, the first 2 steps didn’t have a significant effect in practice as most customers don’t carry FIDO security keys with them.

The recent announcement to add “Web Authentication Platform Authenticator” to Safari 14 addresses this important use case.
Today, passwordless customer authentication is already practical in Mobile Apps running on Android or iOS devices and in Web Browsers running on Windows 10 PCs and Android smartphones.

Once Safari 14 is shipping and users have updated to this version of Safari, FIDO passwordless authentication can be used on iOS, iPadOS and macOS powered devices – expanding FIDO support to all major platforms – a significant milestone towards a new more secure modern authentication framework for today’s digital world. With coverage across all major platforms, and the many benefits of moving off legacy authentication, there is no reason to wait to embark on your passwordless journey.

And with Nok Nok’s certified Universal Server, organizations can perform and manage FIDO passwordless authentication across all platforms, even including Smart Watches, through a single developer API. The Nok Nok S3 Authentication Suite supports all verification steps mentioned in Meet Face ID and Touch ID for the web – WWDC 2020 – Videos and it supports many more features to make passwordless authentication easy for organizations to deploy.

21 Dec

4 Min read

Where is Identity Headed in 2019? My Top Five Predictions

December 21, 2018 Nok Nok News 0 comments

From a gaggle of breaches — thousands of major ones a year, at least two or three annually for most organizations — the trade press and analyst circles have rightfully gone into lessons-learned mode. Against that backdrop, I’m hoping my predictions will nudge the discussion forward — to the inflection point where we take those lessons learned and use them for concrete action!

Authentication will rise with the demand of zero trust
Just as 2017 became known as the Year of the Data Breach (as Bloomberg called it), 2018 was the year where Zero trust security models took center stage as a viable security and identity management response. Now everybody’s starting to realize zero trust has zero value unless it’s backed by strong authentication. Without mature authentication, identity management and Privileged Access Management (PAM) that’s scalable and dynamically adjusts based on policies, it’s hard to apply zero trust without slowing down the speed of business. That’s why we’ll be seeing more and better authentication solutions to prevent zero trust from operating at zero speed.

Social media fraud and political meddling will continue unless providers get serious about authentication
This deserves to be its own list item, given the global scale of adoption and the outsized role authentication plays in social media —- identities don’t just get stolen, they’re also replicated, made up, curated and endlessly morphed for fraud, election tampering and other purposes. How can we afford not to get serious about authentication? And it’ll take more than just voicing support or joining an industry consortium. Signs that a company is serious include deploying standards and making them mandatory, support for legislation and embracing transparency by sharing actual metrics and other data.

The variety of biometrics will continue to grow
The industry will keep churning out new forms of traditional and behavioral biometrics, thanks to a confluence of technical innovation and evolving standards like FIDO that simplify and streamline how biometrics are used in all kinds of industries. As this continues, businesses will have more and more options and we’ll get closer to a plug and play level of interoperability — think of how your blender, toaster and microwave can all operate on the same kitchen power strip and you begin to see what’s possible.

The global regulatory environment will become more challenging.
If strong authentication and other cyber protections don’t seem like a good business idea by now, they will after you remember how upwardly steep the curve toward regulation has been. And given rising complaints and the number of breaches, there’s no sign of it slowing anytime soon. You’ll see more data privacy protection as was done with GDPR. While this is a great progress, we’re going to see more challenges in the form of stronger enforcement, steeper fines and more demands for company data.

The sports and entertainment industry will continue to be a growth area for biometrics
This final prediction comes not just from the market trends we’re seeing, but also personal experience. As I saw firsthand from the misery on my teenage niece’s face at the box office window when she learned the ticket she bought online was a fake — valuable experiences can be stolen, just like valuable products or data. Not surprisingly, biometrics in both sports and entertainment will keep rising. Whether verifying identity for entry and seating, or age for drinking alcohol, entertainment venues and systems have a host of use cases just waiting for strong authentication to solve.

These are the dynamics that will more or less shape the industry in 2019. And while it’s impossible to predict every development or impact, I’ll consider this post a success if we can at least shift the focus onto action — new levels of commitment to put ideas and lessons learned into practice for better authentication and identity management.

12 Sep

3 Min read

Nok Nok Labs Addresses Potential WebAuthn Protocol Security Concerns

September 12, 2018 Nok Nok News 0 comments

A team of researchers at Paragon Initiative recently shared a few security concerns related to some cryptographic algorithms in WebAuthn—a web authentication API protocol. In an August 23 blog post, the Paragon team provided an overview of the potential issues they feel WebAuthn is exposed to as a result of vulnerabilities with underlying or supported algorithms. The research is thorough, and the effort to educate users is admirable. However, the security concerns should also be considered in context and with the understanding that how the protocol is implemented plays a significant role.

WebAuthn specification supports different algorithms, some of which are stronger than others. That is a challenge faced by virtually every standard. Standards bodies typically strive to address the widest possible audience and cover the widest range of products or services in an effort to maximize adoption and market reach. The need for backward compatibility and interoperability with other platforms and standards opens the door to potential weaknesses that exist in legacy or third-party components.

It is what you do with the standard that matters.

The overall strength of a security solution depends on the availability of necessary security infrastructure elements and—most importantly—the strength of the implementation. A good implementation needs to be flexible and provide a framework to allow service providers to make the best choices based on the strengths of the incoming device requests. In the cases where there are weaker devices involved, additional steps need to be taken to validate incoming data and mitigate the underlying risk.

The article from Paragon raises two primary areas of concern: signature forgery vulnerabilities inherent to RSA PKCS1v1.5 padding, and potential weaknesses in the use of ECDAA. WebAuthn is a web authentication API and web browsers add a layer of complexity, interfaces, and APIs above and beyond the operating system. The expanded attack surface opens the door to a variety of possible attacks that are not a function of WebAuthn itself.

The concerns raised by Paragon are not an issue for products from Nok Nok Labs. Nok Nok Labs has deployed products that implement FIDO protocols globally and at a massive scale for the past 4 years. We endorse high security standards and implementations—and that includes scenarios with WebAuthn as well.

Customers who rely on Nok Nok Labs products can specify acceptable algorithms and authentication characteristics through policy. This enables our customers to detect and potentially block weak implementations and mitigate exposure to risk resulting from weaknesses in specific underlying algorithms. It also allows customers to assign risk scores to specific authenticators that use weak or vulnerable algorithms. Using the risk scores provides an opportunity for customers to require additional step-up authentication for improved security, delay the transaction, or take other appropriate measures to reduce risk and ensure strong security.

Nok Nok Labs gives customers the flexibility to limit exposure to these types of flaws through configuration and policy. We also give customers the ability to identify scenarios that are higher risk and require step-up authentication to provide additional protection.

Nok Nok Labs is a founder and strong supporter of FIDO and we stand by WebAuthn. We also recognize that there are potential security concerns inherent with developing a general standard that provides backwards compatibility and interoperability, and the steps that must be taken at the implementation level to address them.

For further questions or comments, please contact Nok Nok Labs ([email protected]).

22 Nov

3 Min read

Authentication | Do the Simple Things| Uber & the Horsemen of the Breach Apocalypse

November 22, 2017 Nok Nok News 0 comments

The reporting by Bloomberg and early disclosures from Uber indicates that the root cause was once again a credential compromise (stolen login credentials from a cloud-based storage system used by its developers). That attack allowed a small lapse in security to spiral into a huge liability for the brand and the business.

While others may gloat at Uber’s misfortune, sadly, this is par for course in the industry. The usage of credentials (passwords, legacy OTP) that can be stolen, phished or attacked by man-in-the-middle is rampant. Such neglect hasn’t risen to board level attention or there would be rush to modernize credential systems to protect against such attacks.

It is a well-documented fact in neuroscience research that individuals are very poor at assessing risk. We worry about terrorist events when we are far more likely to be crushed by furniture. We spend millions of dollars on dubious pills when a short walk around the block would do more to extend our lifespan. We are two times more likely to be attacked by a vending machine than a shark, yet the term “Jaws” is more often associated with the gilled variety than the human.

Corporations are no different. In an age of threats such as weak credentials that stand to damage their customers, that can gut the value of their brand and jeopardize the course of their business – they persist in irrational actions and investments in when simple measures like prioritizing modern strong authentication practices would eliminate many of the threats they face to their business.

The First Horseman of the Breach Apocalypse: Weak Credentials

Weak credentials make up the First Horseman of the Breach Apocalypse and he will mercilessly continue to cut down leaders and businesses that persist in using them.

Most of the industry today is locked into shamefully weak and insecure authentication practices based on password management, legacy OTP systems that are symmetric shared secrets. These practices are vulnerable to phishing and malware and lead to scalable attacks that can harvest credentials for more damaging uses. Verizon’s 2017 Data Breach Investigations Report documents that 81% of the data breaches involve a compromised credential.

Further, these businesses irrationally pour millions of dollars into firewalls/intrusion-detection/APT systems, home-grown or proprietary authentication systems ahead of investing in strong standards-based modern multi-factor authentication.

There is salvation from the First Horseman of the Breach Apocalypse – widely deployed, market tested and universally endorsed standards like those from the FIDO Alliance can provide phishing and MitM resistant strong, multi-factor, password-less authentication that is simple for users, developers and IT staff to manage.

There are other Horsemen (patching, encryption and others) to be sure and the nature of living in the modern connected world involves risk. The trick is to do the simple things that allow you to fend off the Horsemen and to limit the damage that attackers can do to your brand and customers. That and take a walk around the block…avoiding vending machines.

17 Aug

3 Min read

Digital Identity is at the Heart of Innovation City

August 17, 2017 Nok Nok News 0 comments

One of the most popular attractions at the mothership event in Barcelona is Innovation City. Here the GSMA – and their key innovation partners – show how the “power of mobile” is transforming lives across the world. This year, the GSMA is putting on a mock urban environment to showcase what modern, mobile-centric identity solutions can provide. Digital identity is truly at the heart of what an innovative city could look like.

The GSMA’s Mobile Identity Initiative

In February of 2014, the GSMA launched “Mobile Connect” – a solution that enables end-users to create and manage a digital universal identity through a single log-in solution. Mobile Connect provides a federated framework through which 3rd party service providers can authenticate users, seek their authorization of transactions and access information about the user (with user consent). This service has been deployed to a significant portion of the world-wide mobile network operator marketplace and is commercially available to over 3 billion consumers globally.

Mobile Connect performs what Nok Nok Labs refers to as the “Second Mile” of authentication. Where the “first mile” of authentication is proving the identity of the person using the device, the so-called “Second Mile” is proving that that person should have access to that account with the specific privileges.

Nok Nok Labs and Mobile Connect

In 2016, Nok Nok Labs launched a “Jumpstart Program for Mobile Connect”, helping mobile network operators worldwide deliver a biometric-enabled, FIDO-Certified customer authentication experience via Mobile Connect.

FIDO-based authentication and Mobile Connect go hand-in-hand. The “first-mile” of the authentication is handled by Nok Nok Labs’ S3 Authentication Suite, leveraging the FIDO UAF protocol. This allows Mobile Connect to use the built-in biometric authenticators on smartphones, tablets, and PCs – increasing the range of authentication options beyond historic, potentially less-secure alternatives. A user – prompted by the Mobile Connect application – proves their identity to their devices with a biometric. This proof is then passed to the GSMA’s identity gateway where the second-mile of authentication happens leveraging an API exchange and the OpenID connect protocol to further identify and confirm the details of an individual user.

Further validating the synergies possible between the FIDO Protocol and Mobile Connect, earlier this year, the GSMA and the FIDO Alliance formalized a liaison partnership to further explore how FIDO Authentication and Mobile Connect fit together from both a technical and market perspective.

See Mobile Connect in Action

In just a few weeks, at the Innovation City in the heart of Mobile World Congress: Americas, Mobile Connect will be front and center. Nok Nok Labs is proud to be part of this demonstration arena, helping power demonstrations from Visa, InterBev and San Diego Health Connect. The Innovation City will be located in the South Hall of Moscone Center, stands S.1428 & S.1128. You can visit with a Nok Nok Labs representative there during Innovation City hours (9:00 AM to 5:00 PM), or you can stop by the Nok Nok Labs booth in the North Hall at stand N978 (we will be part of the FIDO Pavilion).

14 Jun

5 Min read

Can Blockchain Change the Face of Identify Management?

June 14, 2017 Nok Nok News 0 comments

Dig a little deeper and you will understand that Bitcoin is an implementation of a “distributed ledger” that is called a blockchain. Rather than keeping critical records in a central database like almost every company does today, blockchains distribute the ledger information to many different computers. Then when a process requires information from the ledger, it asks all the connected machines to propose the answer. When a majority agree, they are rewarded for their efforts in the form of digital coins. If information on one machine was manipulated, the majority would still be trusted.

A couple of years after Bitcoin was released, some in the cryptocurrency community began to think about making the blockchain more powerful. Rather than just holding information, what if the blockchain could hold a program that executed when triggered? Developers released a new type of blockchain with a specialized programing language that could be used to write “smart contracts”. This new chain was called Ethereum. These smart-contracts have made it easier for teams to build applications that use these distributed network effects. Infact, these applications have a name (dApps) and sometimes even have their own digital coins (altcoins).

Regardless, today, blockchain aficionados think of Bitcoin and Ethereum as the two major public blockchains that should be considered for business functionality, and with this operating model, blockchains become an interesting architecture for managing identity.

Identity on the Blockchain

As much as you’d like to think you control your identity, you really don’t. Vast repositories of information about you are controlled by private companies that make money every time another company needs to validate who you are. Today, we have an identity ecosystem that requires thousands of organizations to pay these identity holders to perform some sort of “proofing” to validate that a user is who they claim to be:

Your utility company may have validated your address.
Your bank may have validated your payroll.
Your hospital may have validated your birth.
Your government may have validated your SSN.
Your mortgage company may have validated you creditworthiness.

Each of these organizations have invested in due diligence in “know your customer” processes, and they each now have a piece of the total identity puzzle that is you. But each new credit check requires yet another set of validations, and in the end, your identity gets spread wider and wider into more centralized databases that can be hacked.

With blockchain, we can fundamentally change how management of identity takes place.

First let’s start with a radical premise – that you should own your identity information, and should be able to control who sees it – and even be compensated when your information is valued by someone else.

Now Imagine an app called MyID that you install on your phone for a small fee of $1.99. This app – tied to your phone becomes the trusted digital wallet of your identity. Using your biometrics, only you can access the app, and the biometrics data and the identity data all sit within your phone and are never transferred to a server elsewhere without your permission.

Once your app is installed, you go through an identity proofing process where you answer questions that allows MyID to validate who you are and issue a certification for each piece of identity that it validates. These certificates live in the blockchain and therefore can’t be altered, and the underlying data sits encrypted on your phone and also can’t be altered.

With this model, you have a favorable configuration for the consumer. They can share proof that MyID has validated their identity (tied with the device), or they can share the underlying identity data piecemeal as they see fit.

If a credit card company wants to issue you a credit card, they can request various data points, and may give you more credit or a lower rate if you provide more certified identity data.

If an online advertising company wants to better target advertisements to you based on your income, you can share your certified income level (but not your contact information) with them for a fee (payable to you) for a piece of every advertisement you look at – which can be managed on a different blockchain.

Large companies are not left out of this loop. If your mobile network operator already has identity data about you, they can contribute that information to you and can certify if. Now when a third party wants that info, both you and the MNO can get a cut of the fees with your permission.

With blockchain technology, we have the opportunity to reframe risks of identify theft, while also bringing stronger privacy and digital rights to end consumers. There are many reasons why this is the future architecture of identity – and consequently there are many reasons why incumbent organizations will do whatever they can to delay or prevent it from emerging.

20 Mar

3 Min read

Flexible Authentication Strategy Key to Meeting Business Demands

March 20, 2017 Nok Nok News 0 comments

We are six months out from the rumored launch of a rumored new iPhone. As a result, of course, article after article has been posted confirming that, yes, we love our Apple rumors.

Joking aside, these rumors do contain an interesting development for the iPhone. If true, the iPhone 8 will do away with the home button and introduce a new method of unlocking your device – unlock by facial recognition.

We have long been a proponent of biometric authentication. However, the introduction of a new form of authentication on what is arguably the most popular platform in use today creates a long list of headaches for business who plan on being compatible with and thriving on the new iPhone. Fortunately, Nok Nok Labs has a solution in the market today that can help business with precisely these sorts of headaches.

The problem isn’t the introduction of new, novel technology. The problem isn’t changing behaviors and customers’ patterns. The problem that creates headaches for businesses is that they are deployed on a technological stack of systems that is not designed to seamlessly integrate these new, novel pieces of technology, behaviors and customer patterns. In 2015, Apple introduced the iPhone 5S and kicked off a wave of adoption for everyday consumers with fingerprint sensors. Businesses had to rush to find a way to integrate their mobile applications with Apple’s fingerprint APIs. Even now, two years later, we are still pleasantly surprised when we find a new application has fingerprint-integration rather than kludgy password-based authentication. If the iPhone 8 does rely on facial recognition rather than fingerprints, a whole new wave of work will be required to integrate with that feature. Even those who had already integrated with the fingerprint will have to recode, redesign, retest and rework their existing systems to adapt to a changing landscape.

If only there was a better way.

Fortunately, there is.

The solution is to do away with one-off integrations and embrace a flexible framework for authentication. The FIDO Alliance has published a protocol for accomplishing just that. And this protocol has been vetted and embraced by over 250 companies around the globe including heavyweights such as Google, Microsoft, MasterCard and RSA. Nok Nok Labs built the first implementation of this protocol and offers its customers a way to instantiate an authentication system that can flexibly accept identities from fingerprint sensors, facial or voice recognition applications, even secure PINs or third-party dongles and tokens like the YubiKey. The business will perform a single integration of a server, add just a handful of lines of code to their mobile application, and simply chose the types of authenticators that they wish to accept. As new technology becomes available and is adopted by their customers, the business needs only to change a policy in their configuration to accept it or not.

Feel free to visit our resources page to explore in more detail what our technology is capable of. Also, you can reach out to us directly at [email protected] if you have questions or would like to have a more robust discussion about how we might be able to help your authentication strategy.

Contact Us

Latest Posts

Navigation

Please complete this form to view and download this resource.

2024 Security Industry Predictions: Consolidation, ROI, and the AI Hype Train

By Phil Dunkelberger

1. Further Consolidation? Groundbreaking!

2. ROI: Prove It or Move It

3. AI and Machine Learning: Hype and Reality in a Three Sided Coin?

4. Regulatory and Privacy Demands: Brace for Impact

Identity on the Blockchain

Contact Us

Contact and Subscribe

Latest Posts

Navigation

Please complete this form to view and download this resource.

Submit to Download Forms