When the Fast IDentity Alliance was established in 2012 to develop stronger e-commerce security, founding member Nok Nok Labs was already building the foundation for its authentication standard.
Nok Nok founder Ramesh Kesanupalli was the visionary behind the alliance, which has grown from six members at launch to nearly 100 companies now working to establish authentication standards that will operate on any device consumers use to access the Web. Its members include payments industry heavyweights MasterCard, Discover and PayPal; and technology giants like Google and Lenovo.
The alliance's goal is to provide a standard of authorization based on the security supported by each device. For example, a FIDO-enabled smartphone could use its microphone for voice authentication. To this end, Nok Nok announced Feb. 13 the launch of its S3 Authentication Suite software.
Nok Nok Labs president and CEO Phillip Dunkelberger says the FIDO Alliance has a mission to make it extremely difficult for hackers to disrupt e-commerce, and that his company will be the engine driving toward that goal.
In an interview with PaymentsSource, Dunkelberger explained the role of Nok Nok Labs in establishing FIDO's standards and how the future of payments security will develop. This interview has been edited for length and clarity.
PaymentsSource: FIDO Alliance couldn't have come up out of nowhere. How long was Nok Nok Labs developing it?
Dunkelberger: Working as an independent company, we have been working on the FIDO Alliance idea for the past two years, but now it's working on the delivery of products. Nok Nok Labs invented the core underlying code for the client protocol known as FIDO. We build the servers or back-end systems, creating a FIDO-enabled element that is in good standing. We then help manage the FIDO client code and the discovery, enrollment and provisioning of the devices.
PaymentsSource: The S3 Authentication Suite appears to be a key product. Is it the launching pad for FIDO?
Dunkelberger: S3 gives the ability for FIDO members and others not in the group to start moving down a strong authentication enablement track. They can start using it today.
PaymentsSource: Can you explain exactly how a consumer gets a FIDO-enabled device, and what that will mean?
Dunkelberger: The standard works in any environment on any device. But let's say your mobile phone is FIDO-enabled. That can occur either through a software download, through a fingerprint reader on the device, or something in the trusted execution environment, in other words, on a chip. So, what you've got is strong, stronger and strongest implementations.
PaymentsSource: And how does that FIDO-enabled device interact with the e-commerce sites using Nok Nok technology?
Dunkelberger: If you are cruising on the Web and find a FIDO-enabled website, it will "ask" if your device is FIDO-enabled. The device will answer back and tell which FIDO elements it has for multi-factor authenticators a camera, fingerprint reader, a microphone, a FIDO element in the processing chip, or a digital certificate. By FIDO policy, the back-end system will enroll you in the FIDO standard with a series of multi-factor authenticators, and it also scores the device. Then it may ask you to swipe a finger, say a few phrases, or take a picture of yourself, or type a six-digit code, depending on the authorization method chosen.
PaymentsSource: Sounds like a long process. Is it?
Dunkelberger: No, here's where the magic happens. One aspect is discovery of your device. Second, it enrolls you, and at that moment you maybe swipe your finger. It now creates an authenticating key to your portfolio. It doesn't store your biometric, but it uses it to create the public/private keychain. The next time you are on that website or another website, say it is PayPal, it will ask you to log in with your FIDO fingerprint. You swipe your fingerprint, and you are in.
PaymentsSource: Where is all of the customer's data stored?
Dunkelberger: The really cool thing is that it is an extension of public/private key encryption exchange on the Internet. It keeps all of your private data local. None of your biometrics, passwords or PINs are going over the wire, so the hackers' attack vectors are gone. There is no opportunity to steal millions of card numbers, passwords, PINs or millions of identities.
PaymentsSource: So once your device is communicating with a FIDO server using Nok Nok's authentication platform, the consumer authenticates in the same manner, no matter which site he is visiting?
Dunkelberger: No. The authentication can be reset. You can enroll fingerprints, or maybe voice, or you can use both of those. I can swipe my finger and buy things or transfer money. The protocol may come back to you and ask for a second authentication, so you can establish three or four authentications for high-value transactions. It makes sure no one else can make high-value transactions on your account.
PaymentsSource: Does it matter what kind of device you are using?
Dunkelberger: It's authenticator device agnostic. It doesn't care what the device is. The idea behind this is, what will it take to establish secure authentication?
PaymentsSource: When FIDO Alliance launched, it seemed as if its main purpose was to do away with passwords. Is that still the case?
Dunkelberger: It's going to take a few years to get rid of passwords because that's a 50-year old technology. It's going to be replaced over time. Usernames and passwords are not going to go away, because they are great for very low-risk things. What will happen is you are going to see ecosystems change mobile pay systems, medical records, things where multi-factor authentication is tantamount to a much better way of doing business, from a risk standpoint. So, high-risk, highly regulated industries are going to move first. Once those industries move, consumers will find the usability of this is dramatically different than trying to type something in with your thumbs on a mobile phone.
PaymentsSource: What will drive the FIDO standard into the mainstream?
Dunkelberger: Costs, security, usability and privacy. Those are the four major drivers for people wanting to do different types of authentications. They are all present in what we are trying to do. And when I say we, this is a big group of people.
PaymentsSource: What happens next for Nok Nok Labs?
Dunkelberger: You won't get this at bigger companies because authentication is not their core business. We want to keep helping others, and it is all to make things better for all ecosystems. Let those other companies use FIDO as their security standard, and then they can spend their time building their next great product.
PaymentsSource: How about the FIDO Alliance?
Dunkelberger: The next thing is public input. Significant players are joining, such as Google, MasterCard, Lenovo, Discover and PayPal, and FIDO will continue to grow nationally and internationally. We will get FIDO in a browser, and hardware like fingerprint readers, and we can support a lot of modalities today. But a critical one will be to get in the trust and execution environment, in the chip set. I think that will happen late this year. When that happens, that is a big deal. It gives you strong, stronger and strongest authentication.
PaymentsSource: Will we see a day when FIDO is fully deployed and we will reminisce about the days of worrying about hackers?
Dunkelberger: Having been in the business 30-plus years, the bad guys never cease to amaze me with their guile and intellect. When there is money to be made, they will go for it. It used to be that we said data was currency. Now we say authentication is currency. This particular thing we are doing makes it really hard for criminals to make things happen. But they won't go away. It will just become different people stealing different things in different ways.