In 2009, when Ramesh Kesanupalli was working as CTO at Validity Sensors building fingerprint sensor technology, he and his team approached PayPal to sell the payment vendor on the idea of fingerprints as a more-secure authentication method. Initially, PayPal rejected the idea, saying that if they supported fingerprint authentication, they would need to consider other forms of biometric authentication, and they weren’t yet ready to take on the challenge. Kesanupalli didn’t want to give up on his vision, so he introduced other authentication vendors into the discussion to explain to PayPal how their products would improve security. At the time, though, most of the other authentication vendors were focused on legacy authentication, that is, username and password-based solutions, supported by one-time passwords (OTPs) or tokens. PayPal recognized that those forms of authentication were kludgy, and while they may incrementally increase security, the inconvenience and usability tradeoffs weren’t worth the minimal gain.
Passwords have been in use as an authentication mechanism forever. But in the digital realm, especially as networks, resources, devices, and applications have expanded out of the scale of measurability, passwords have become increasingly problematic and prone to attack. For over a decade, security pros having been calling for the end of passwords, but many factors have prohibited passwords’ long, overdue death. Still, Kesanupall knew authentication could be stronger by eliminating passwords.
In 2011, Kesanupalli left Validity to start Nok Nok Labs. The impetus was to build a new, stronger form of authentication that didn’t rely on the same old, same old username + password combination, and didn’t resort to OTPs or tokens (which were quickly becoming exploitable) as a second factor. Concurrently, in 2012, he, alongside industry colleagues, founded the FIDO Alliance[i] to create open industry standards that would reduce the reliance on passwords. The group’s goal was to develop technical specifications for open, scalable, and interoperable authentication solutions. Today, FIDO’s specifications—FIDO Universal Authentication Framework (FIDO UAF), FIDO Universal Second Factor (FIDO U2F), WebAuth, and FIDO2—are industry standards. What they’re not, however, are products. Enter, Nok Nok.
Today, a global company with more than 150 million users, Nok Nok is predicated on the FIDO approach to fundamentally improve and standardize authentication. Nok Nok’s passwordless authentication is ubiquitous across mobile, web, and IoT channels, and provides a seamless end user experience. With a single gesture, a user can authenticate to any service.
Nok Nok’s VP of Products, Rolf Lindemann, explained to me how it works during a recent call. “Our products are deployed via an SDK [software development kit] that interfaces to a secure component on the device—the hardware security module, trusted platform module, or trusted execution environment—or in a mobile or web browser,” he said. This means that some developer support is required, lending itself to larger organizations with in-house development capabilities.
Once that step has been completed, the device or browser can communicate with the Nok Nok S3 Authentication Server and users can start authenticating via any form of biometric. That said, Lindemann shared, “Deprecating passwords is a journey. In practice we have seen a phased approach. The first phase is typically a mobile first strategy, leveraging the platform authenticators on mobile devices and eliminating passwords as well as SMS/OTPs as a second factor. They’re replaced with a fingerprint scan, facial scan, or voice prompt. The second phase of the rollout is adding web support. And the third phase is finally deprecating passwords and onboarding new users without any passwords.” A phased approach allows users to gain comfort with this method of authentication and reduces the likelihood that they’ll abandon the process. It also ensures a smooth transformation for the organization since multiple business units are involved in implementation and support.
Importantly, FIDO standards are supported by Google, Apple, Microsoft, and a host of other major tech vendors, meaning, users won’t encounter incompatibility issues that create tension or frustration with the login experience. This, said Lindemann, is one of the greatest achievements of Nok Nok’s technology; customers report 15-20% reduction of abandonment rates, 20% reduction in time to authenticate, and 58% reduction in password reset requests. This data shows increases in user satisfaction and results in operational cost savings within companies’ IT, security, and development departments.
I asked Lindemann about privacy concerns, especially related to biometrics—immutable attributes, unlike passwords. He explained that biometric data is never disclosed to the server, which means that in the event of a server breach, user data is secure. However, this does require device vendors to buy-in, which presents a barrier. That said, as biometric authentication is becoming commonplace, facilitated by smart phone manufacturers who offer face or fingerprint unlock, for instance, we see this as a small barrier and expect more device and app vendors to adopt biometric authentication in the coming years.
The concern then turns to what happens to users’ biometric data if a device is stolen, lost, or remotely compromised. Today, the threat of a client-side attack is less than that of a server-side attack, but it is still a consideration.
In terms of privacy regulations like GDPR and CCPA, the FIDO standards on top of which Nok Nok is built exceed minimum requirements. Other requirements like NIST, PSD2, SOX, GSMA’s Mobile Connect, and more can be easily met. Audit logging is also supported.
Nok Nok offers standards-based authentication across various mobile platforms: smartphones, smart watches/wearables, web browsers and IoT devices. The latter is an interesting use case, as IoT devices currently pose a major security threat. With password-based authentication so easily compromised via phishing, credential stuffing attacks, spoofing, default password compromise, and more, the ability for organizations to secure sensors, switches, medical equipment, manufacturing devices, and so on with passwordless, multi-factor authentication decreases cyber risk and increases regulatory compliance.
Nok Nok can boast an impressive global client list, mainly of early adopters in the financial sector and among mobile network operators. While the company faces competition from smart phone manufacturers that include native biometric authentication in their own products, we at TAG Cyber believe commercialization will only help companies like Nok Nok gain widespread acceptance in the coming years.