Fixing the hole in the internet: Nok Nok Labs announces new authentication suite as FIDO reaches browsers
With leading web browsers and operating systems planning to launch built-in support for FIDO authentication later this year, Nok Nok Labs has announced a new release of its S3 Authentication Suite. Nok Nok S3 Authentication Suite supports the latest version of the FIDO Alliance standard, known as FIDO2, and its Web Authentication specification (WebAuthn).
The WebAuthn specification was recently accepted by the World Wide Web Consortium (W3C) as a Candidate Recommendation (CR), and defines a way for web browsers to enable websites to provide FIDO authentication to end users with devices implementing the FIDO2 Client to Authenticator Protocol (CTAP). Project contributors Google, Microsoft, and Mozilla have begun implementing support for WebAuthn into their Chrome, Edge, and Firefox browsers on Windows, Mac, Linux, Chrome OS, and Android.
W3C originally announced the formation of a WebAuthn working group and launched a new standards effort in 2016 based on FIDO 2.0 Web APIs.
While Nok Nok Labs has provided a way to make FIDO calls from a web browser for several years, it was not previously part of the specification, and the adoption of the new standard by the W3C and browser and OS providers makes it more accessible to enterprises than it has ever been, Nok Nok Labs CEO and President Phillip Dunkelberger told Biometric Update in an exclusive interview.
Dunkelberger expects FIDO adoption, which has already been growing rapidly, will accelerate toward general acceptance as an industry standard. “Now it’s going to be like SSL was,” he says. “If we can give you a better mouse trap, are you going to use it?”
The combined weight of the W3C and browser providers is only one factor in a market being redefined by new demands from businesses and consumers alike. Dunkelberger sees the market for user authentication as driven by a need to make four things easy. “We’re starting to see this perfect storm that is forming. For business, it’s compliance and security. For users, it’s ease of use and experience.”
High-profile data breaches and widely available biometric technology have influenced popular perception of what authentication should be, and bringing FIDO strong authentication to any device addresses a “hole in the internet,” Dunkelberger says, which is an inherent part of its architecture.
“Finally, the industry’s gotten together and said ‘we’ve got to solve this broken, password-based authentication method,’” he explains. “And once we solve the first mile, we start solving the last mile of the internet. Now that I know who’s out there, what goods and services do they really want from me, and how do I supply them in the most cost-effective possible way?”
As the industry progresses towards the creation of a universal authentication layer, Nok Nok Labs is expanding its customer base. The company doubled its bookings for the second year in a row last year, according to Dunkelberger, and he is confidant it will do so again this year. The S3 Authentication Suite was recently deployed as part of an online authentication service from Fujitsu by Mizuho Bank, one of Japan’s largest financial institutions. Dunkelberger says Nok Nok Labs’ technology has been implemented by five of the top ten banks, and five of the top 12 telecom companies in the world, demonstrating the effectiveness of FIDO authentication for highly regulated businesses operating at scale.
Regulatory requirements are only increasing. GDPR, which comes into effect on May 25, has an entire section on multi-factor authentication, while PSD2 requires strong step-up authentication within the transaction, which FIDO provides.
FIDO has evolved into a standards-based system which works across all devices without requiring a massive coding effort from businesses seeking a way to make any kind of service compliant. Dunkelberger estimates that it typically takes between one and three months to code one device to one app for one service, but Dokomo has been able to build roughly 700 apps on 100 devices in only two and a half years by utilizing FIDO. While Dunkelberger says there is still work to be done educating businesses about the new standard’s benefits, he expects the launch of built-in browser support to make FIDO an obvious choice for developers.
Interoperability testing and certification for FIDO2 servers, clients, and authenticators will be launched soon, along with a new Universal Server certification for servers that work with all FIDO authenticator types.
“My prediction is when they’re in place, you’re going to have a framework that all developers can say ‘we don’t have to worry about whatever the end point is or what new endpoints are coming from an authenticator, we don’t care what the authenticator is, because we can discern which ones we want to use by policies, and which one we don’t,’” says Dunkelberger.
Reaching that point is a major accomplishment, made all the more impressive by the relative speed with which it has happened. The FIDO Alliance was officially launched only five years ago, as Nok Nok Labs came out of stealth, at RSA 2013.
“It’s a great story about the industry realizing there was a hole in the internet, and coming together to solve it. Standards are hard. They take a long time. They take a lot of input and negotiation.” Dunkelberger notes that when he served as President and CEO of PGP prior to joining Nok Nok Labs, it took OpenPGP 10 years to become an Internet Engineering Task Force (IETF) standard.
FIDO’s rapid progress is due to the efforts of hundreds of companies and individuals, often working as volunteers, Dunkelberger points out. They believe, like him, in the importance of using strong authentication to re-establish the perimeter based on identity. Doing so marks out a path from usernames and passwords to biometrics.
“These trends carry biometrics forward,” Dunkelberger says. “You think of all the great pieces and sub-pieces that have come together. Better use of biometrics; easy hook up of biometrics; a standard way of implementing the biometrics.”
Now that it works with any application, on any platform, for any authenticator, Dunkleberger sees the S3 Authentication Suite being used to enable a wide range of new innovations based on easy-to-use, safe, and secure transactions with biometrics.
Nok Nok Labs will participate in a FIDO2 demonstration at RSA on April 20.