But now we need to set our sights beyond basic FIDO. Standards typically represent the lowest common denominator of functionality that can be agreed to across a large body of independent organizations. Certainly, more advance features that leverage FIDO are possible, and most definitely desirable.
While our product and engineering teams lead FIDO standards development, we have been busy also mapping out and delivering capabilities that go beyond basic FIDO. The following questions should be considered as your organization establishes or evolves their approach to modern authentication.
How important are risk signals and policy based authentication mechanisms?
The ability to measure certain risk oriented signals, and build policies around those signals leads to a more granular view of authentication. Three areas that we have focused on include geolocation, travel speed and device health:
- Geolocation – This signal locates a user’s device location and can check against a policy defined list of restricted countries. This enables the administrator to deny access from disallowed locations and adjust their risk score.
- Travel Speed – This signal determines if the user’s device has travelled too far in too short a time. It uses the device’s geolocation to calculate the travel speed from the last login location and time. With this information, users can take policy-defined action to adjust risk scores or deny fraudulent access from multiple locations within a short time interval.
- Device Health – This signal checks for signs of tampering on the device.
Do you need to consider Out-of-band authentication and friendly-fraud scenarios?
Out-of-band authentication extends the FIDO credentials on a user’s mobile device to a second device – primarily their desktop. The omni-channel approach can bring a new desktop login modality to customers. Start a banking transaction on your phone, and finish it on your computer while leveraging the biometrics from your phone to validate the user on both devices.
Reduction of “Friendly Fraud” – In order to counter unintended fraud on shared devices, we’ve developed a method of ensuring that only biometrics authorized by the primary device or application user can authenticate to an account. This offers a major differentiator over basic FIDO for use cases that need a higher standard of security.
Do you have plans to support multiple Relying Parties in a multi-tenant capability?
For mobile network operators and other internet infrastructure vendors, the opportunity arises to become the consumer identity provider of record for many different service providers (Relying Parties) that leverage your platform and ecosystem. Does your business model postulate supporting multiple relying parties and their authentication needs in a multi-tenant capability? If so, a basic FIDO implementation will single tenant support will require a far broader investment in infrastructure and licensing than Nok Nok’s leading multi-tenant solutions in this space. Understanding the nuances of different vendor platforms and capabilities can create strategic advantage now and with future business needs.
Our development team has even more interesting new functionality in the lab that they will be sharing in upcoming release cycles. Stay tuned for additional features that extend the benefits of a FIDO approach to more use cases and value drivers.