Step Away From the Server With Device-Based Security

Is it possible that in the near future, there will be no more server-based passwords to hack?

From our spearphishing- and spyware-heavy world today, that seems like a very lofty goal, but it’s exactly the one that four out of five IT decision-makers agree is in our imminent future. In a new study, the vast majority of organizations said they want to move beyond passwords and two-factor authentication and use stronger methods to secure their sites and apps. Nearly half of the respondents wanted to implement biometrics in the next five years and move away from passwords.

Massive companies are in on this trend. In late January, Facebook said it was joining the likes of Google, Salesforce and Dropbox, to name a few, to move to support FIDO-compliant universal second factor keys. As a founding member of the FIDO alliance, Nok Nok Labs is committed to providing enhanced security.

However, to get rid of passwords and deploy strong authentication, including options like biometrics, companies need to implement device-side secrets rather than server-side secrets. To get to these password-free Elysian fields, enterprises need to take a systematic approach to implementing password-less authentication.

Thumbprint-, iris- and face-scanning software has the advantage of being extremely user friendly — have you ever forgotten your thumbprint? However, if companies continue the practice of storing this type of information on public servers, that means if hackers get sophisticated enough to routinely replicate these features, it could be worse than where we are with passwords today. You can’t get a new iris the same way you can get a new password. We have already seen a case where fingerprints were stolen, via the U.S. Office of Personnel Management breach in 2015.

The Nok Nok Labs S3 Suite addresses strong biometric security by leveraging device-based authentication. This ensures that a breach would be unlikely, since the attacker would have to have ownership of the device, plus the biometric data to access it.

Typical biometric security doesn’t prevent password hacks. In general, features like Touch ID use biometrics on the device, but they don’t replace a username and password. Instead, the fingerprint releases the password, which is stored in a secure enclave. Because there still is a password involved, there is still a security problem.

For biometric authentication to really work, it must have no password involved and be device based instead of server based. When using the Nok Nok Labs S3 Suite, the biometric signifier is enacted and the device unlocks an app-specific private key based on the local authentication. That key, not the biometric information itself, is sent to a server through FIDO-standardized protocols and it matches up with a public key on a server. The private key information never leaves the device, and the public key is the only information stored on the server. The public key cannot be used in an attack, because it has no value without the private key information. This is the FIDO Alliance’s vision for the future, and it’s one Nok Nok Labs is committed to.