17 Nov

4 Min read

Missing the Forest for the Trees

November 17, 2023 Jackie Comp 0 comments

New technologies, especially those that are transformational, get scrutinized – that’s normal. The benefits need to be carefully understood along with any potential drawbacks. The danger to progress however, results from an imbalance in focus … when we place too much emphasis on “edge cases” at the sacrifice of all the benefits.

We miss the forest for the trees.

Passkeys are a perfect example. Passkeys (aka passwordless FIDO credentials) are transformational as an authentication approach. They are phishing-resistant, easy to use, and future proof (open standard supported by the ecosystem). While they are still new to most users, passkeys will quickly become the preferred method of authentication in the same way most users happily adopted Touch ID and Face ID when offered for app sign-in.

Simply put, passkeys are more secure and more convenient than passwords and one-time passwords (OTP):

Keys cannot be “phished” (there is no “secret” to share)
Fake sites (man-in-the-middle attacks) will fail because they do not have the appropriate private key to impersonate a user.
Attacks don’t scale because the attacker must physically have the user’s device where the private key is stored, as well as their user verification method (fingerprint, face recognition, etc).
Users don’t need to remember complex passwords or fumble with OTPs — they just sign in with a swipe or look into the camera. The complexity of the private/public keys is behind the scenes.

Although passkeys are vastly more secure and greatly improve the user experience, the attention seems to be focused on the “edge cases” that make them not “perfect”.

Edge Case #1: Unclear how the synced key is protected – what if it is compromised. Synced passkeys may be stored by platform providers like Apple and Google, or they may be protected by password managers. That is no different from passwords. The big difference, however, is that passwords can be easily phished and stolen. While password managers can help prevent phishing, not everyone uses one. Also, the relying party cannot tell if they are using a password manager or how strong the password really is. With passkeys the phishing resistance doesn’t depend on user behavior. It is guaranteed by the standard. And to steal someone’s passkey you’d have to take over their account or trick a provider to restore a key to your device, which is orders of magnitude more difficult to achieve. Is it possible, yes, but the current risk with passwords is far greater.
Edge Case #2: The transport security of the keys is unknown. The protocol may be proprietary to the provider, however the large providers strongly encrypt the passkeys and synchronization of passwords to the cloud uses proprietary protocols, too.
Edge Case #3: The key may have been shared (“AirDropped”). This is true, a user can air drop their passkey to another user. It is also true, however, that someone can just as easily share their password. And, unlike passkeys, passwords can be easily guessed making them much more vulnerable.

Understanding risk is important, but not at the expense of gain.

Imagine all the doors and windows in your house with flimsy padlocks that can be easily snapped off with one kick. You have the opportunity to replace them with a high-security deadbolt system that is resistant to being kicked in. However there is one very tiny window on your 3rd floor that would require a 30 ft ladder and gymnastics across your roof for a thief to reach, but it cannot leverage the new lock system. Since you can’t secure that one window, you decide not to secure any of them.

That’s missing the forest for the trees.

The bottom line is even if you change nothing else, you are greatly reducing your attack surface by implementing passkeys to replace passwords wherever possible. For regulated markets that typically require MFA with strong device binding, you can combine device-bound passkeys with synced passkeys, creating a “trust anchor” to deal with the 3rd floor window.

Nok Nok has all the capabilities and expertise to help you on your journey through the enchanted forest.

10 Nov

3 Min read

Nok Nok’s FedRAMP High Journey: Next Step in Federal Cybersecurity

November 10, 2023 Nok Nok News 0 comments

In the world of cybersecurity, the federal government sets some of the most stringent requirements for its suppliers. It’s a landscape where only the best can thrive, and Nok Nok, a pioneer in Fast IDentity Online (FIDO) authentication solutions, has emerged as an important supplier. The company recently achieved the coveted Federal Risk and Authorization Management Program (FedRAMP) High authorization through its partnership with UberEther’s IAM Advantage. This achievement follows its DoD Impact Level 5 (IL5) achieved in 2022 and marks a significant milestone in delivering top-notch cybersecurity to federal agencies, partners, and citizens.

Here are the key takeaways from this latest achievement:

1. Federal Government’s Uncompromising Cybersecurity Standards

The federal government has long been known for its uncompromising cybersecurity standards. In response to the 2021 White House Cybersecurity Executive Order and the subsequent call from US Government CISO Jen Easterly for advanced Multi-Factor Authentication (MFA) based on FIDO standards, the demand for cutting-edge cybersecurity capabilities has never been higher. The government is leading the way in adopting the best of breed cybersecurity measures, making it crucial for suppliers to meet these advanced cybersecurity requirements.

2. Nok Nok’s Unique Position: FIDO and More

Nok Nok’s unique position as one of the original creators of FIDO standards sets it apart. The partnership with UberEther has enabled Nok Nok to provide federal agencies with phishing-resistant MFA that not only meets DoD Impact Level 5 (IL5) and FedRAMP High certifications but also complies with the Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) standards. This combination of expertise and collaboration empowers federal agencies to meet the highest levels of security and regulatory requirements seamlessly.

3. Streamlining Phishing-Resistant Authentication

Nok Nok’s MFA solution offers an effortless and convenient alternative to traditional Personal Identity Verification (PIV) and Common Access Card (CAC) methods. Leveraging the public key cryptography capabilities of modern endpoint devices such as smartphones and PCs as well as security keys, the solution eliminates the need for additional drivers, middleware, or browser plugins. This approach provides a secure and user-friendly way for employees, contractors, and citizens to access information, all while reducing the vulnerabilities and costs associated with password management.

In Conclusion:

Nok Nok and its partnership with UberEther are at the forefront of delivering advanced cybersecurity solutions to the federal government, setting the gold standard for phishing-resistant MFA. With FedRAMP High authorization, FIPS and NIST compliance, and adherence to FIDO standards, Nok Nok and UberEther are ensuring the highest level of security for federal agency employees, contractors, and citizens. As the digital era continues to evolve, Nok Nok is committed to transcending traditional boundaries and meeting the dynamic cybersecurity needs of our modern society.

28 Jun

3 Min read

Reduce Cart Abandonment with Passkey Authentication

June 28, 2023 Matt Lourie 0 comments

Reduce Cart Abandonment with Passkey Authentication

Matt Lourie, Sr. Director of Engineering

Passkey authentication is a solution to streamline the login and registration process, enhancing the overall user experience.

Developers of e-commerce web applications constantly face the challenge of improving user experience and increasing conversion rates. One common issue that online businesses struggle with is shopping cart abandonment. This blog explores the impact of complex login processes on cart abandonment rates and introduces passkey authentication as a solution to streamline the login and registration process, enhancing the overall user experience.

The Problem With Shopping Cart Abandonment

A recent study conducted by the FIDO Alliance sheds light on the significant losses faced by online retailers in the U.S. due to complex login processes. The survey found that 58% of shoppers abandon their carts and halt their purchases due to difficulties encountered during the sign-in process. Password-related frustrations, such as forgetfulness or the need to create new accounts, deter consumers from completing transactions. Additionally, 28% of respondents expressed that the hassle of setting up and remembering new passwords would discourage them from signing up for a new account. The study reveals a clear need for a simpler and more convenient authentication solution.

The Power of Passkeys

Passkeys offer a practical solution to address the challenges associated with complex login processes. Passkeys are a new and better way of signing in to websites and apps without passwords. They are unique digital keys that are stored on your device and verified with your biometric sensor, such as your fingerprint. Passkeys are more secure and convenient than passwords because they can’t be reused, guessed, or stolen.

In the study, consumers expressed a preference for on-device biometrics, such as fingerprint or facial recognition, as alternatives to passwords. These methods were perceived as quicker and easier to use, with 68% believing they were more expedient than traditional two-factor authentication. Retailers that offer on-device authentication were seen as more invested in customer experience, privacy, and security, and were more likely to be recommended to others. Passkeys help retailers stand out from competitors and create a positive brand image.

By eliminating the need for users to remember multiple login credentials, passkeys significantly enhance the overall user experience and encourage repeat visits. Users no longer have to struggle with password-related frustrations, leading to increased customer satisfaction and reduced cart abandonment rates.

Nok Nok Makes Implementing Passkeys Easy

Contrary to popular belief, implementing passkey authentication doesn’t require extensive coding or technical expertise. To help web developers, we have created a comprehensive video tutorial as part of our learning series. Our video tutorial demonstrates the step-by-step process of adding passkey authentication to your web app. Watch our video today, sign up for a free trial, and unlock the potential of passkeys to boost your conversions and improve customer satisfaction!

13 Apr

7 Min read

Nok Nok Expands S3 Authentication Suite

April 13, 2023 Nok Nok News 0 comments

Nok Nok Expands S3 Authentication Suite to Meet the Needs of Government, Regulated, Payment, and E-Commerce Organizations

New capabilities include regulatory compliance and risk management, synced passkeys, secure payment confirmation, and more

San Jose, CA – April 13, 2023 – Nok Nok , a leader in passwordless authentication for the world’s largest organizations, today announced the latest release of the Nok Nok™ S3 Authentication Suite (S3 Suite) that delivers four new capabilities designed to meet the needs of regulated industries, payments markets, and e-commerce organizations. For government organizations or highly regulated industries such as healthcare, finance, and insurance, the new offering simplifies the ability to comply with security and regulatory requirements, including identifying known and unknown devices. Additional new features help e-commerce organizations reduce friction for consumers. Payment companies will also benefit with new features in the S3 Suite that address Secure Payment Confirmation (SPC) for approving high value financial transactions in web browsers.

With the increasing rise in cyber threats, security professionals are faced with heightened complexity. Not only are they navigating how to implement best practices and respond to federal mandates as they develop, but they also must be responsive to their own users and consumers without preventing their access to services or causing user friction. Organizations that are highly regulated industries are also under enormous pressure and must be prepared to respond to and comply with government and industry regulations. The Nok Nok S3 Suite leverages a wide range of authenticators, including biometric and non-biometric modalities to help meet regulatory compliance, address NIST SP800-63 and SP800-157 standards, and support various authentication needs. By integrating with an organization’s security solutions, the S3 Suite provides additional contextual information and leverages scores provided by external risk engines and behavioral biometric systems.

“The war against cyber criminals has not let up and the job of being a security professional continues to be more difficult as new mandates from the White House have been added to the list of compliance requirements. And if you are an international organization, EU and Asia requirements add to the compliance complexity. We are excited to address these compliance needs and broaden the reach of our technology into these regulated markets. Organizations operating in finance, enterprise, e-commerce and government are up against increased pressure to comply and regulation is only expected to become more stringent in the years to come,” said Phil Dunkelberger, CEO of Nok Nok. “We co-founded the FIDO Alliance to make it easier to implement strong, passwordless authentication solutions for consumers and enterprises. Now, we are expanding our offering to companies in key regulated sectors that need to be able to quickly and efficiently respond to the evolving regulations coming from the US and foreign governments.”

New government and regulated industry support includes:

Passkeys. With the rise in adoption of synced passkeys, regulated organizations need to be able to understand whether users are using their passkey with a known device or on a new device. When new devices are introduced for the first time, regulated organizations typically need to trigger additional verification steps to ensure the device belongs to the legitimate user. With the Nok Nok S3 Suite v9, organizations can easily configure authentication rules that detect the use of new devices and configure methods in order to verify whether the device is used by the legitimate user.
Support for Security Key Tracking and Inventory. New capabilities allow organizations in highly regulated industries such as healthcare, insurance and banking, to monitor and track users that are using the security key(s) they were given by their employer. With these new product features, organizations can “attest” that a user is using the security key they were issued – not a third party key – and meet security and regulatory requirements.

New E-Commerce and Consumer support includes:

Synced passkeys. Asking users to provide a password reduces enrollment conversion rates and requiring a password at checkout negatively impacts the checkout conversion. Today’s release of the S3 Suite with synced passkey features allows consumers from any of their devices to access e-commerce sites by easily signing in using biometrics instead of using a password. Additionally, the synced passkey feature enables merchants to reduce friction at sign-up, making it easier to engage personally with the customer, enroll them in loyalty programs, automate billing, and collect specific data which has become more difficult with 3rd party cookies being deprecated.

New Payment support includes:

Secure Payment Confirmation. While today’s strong customer authentication two-step-verification is more secure, it is still perceived as inconvenient to the consumer. The introduction of W3C Secure Payment Confirmation (SPC) into the S3 platform is similar to integrating a POS terminal into your browser that allows the user to use device biometrics instead of a card and (one-time) PIN. Support for SPC has been added to the EMVCo 3D Secure specification that is widely used for online card payments. For customers in the buying process, SPC dramatically cuts down on friction. This new SPC method extends the existing transaction confirmation capabilities of the Nok Nok S3 Suite making it the first choice for banks, payment service providers, and e-commerce merchants intending to implement delegated authentication.

“We have heard it said many times, removing passwords can improve time and effort spent handling password resets and account lockouts ; it reduces friction and improves the user experience, and it can drastically reduce risk,” said Jack Poller, senior analyst Enterprise Strategy Group. “As easy as it sounds, the complexity of replacing passwords while still staying compliant in regulated industries or meeting government regulations can be very complicated. Leveraging its history delivering FIDO-based strong authentication into enterprise and consumer markets, Nok Nok rolls out a set of capabilities that will ease the replacement of passwords in some of the most demanding environments. IT and security operations are trying to handle increased complexity in their environments every day; standards-based, passkey solutions should be high on their lists for first defense.”

The Nok Nok S3 Authentication Suite includes an Authentication Server and App SDKs for mobile, web and smartwatch applications. It leverages the security capabilities already present on a user’s device to bring strong and convenient authentication to any application. The S3 Suite enables organizations to easily turn a user’s device into a strong, multi-factor authentication method through support for all FIDO protocols, including passkeys.

With the S3 Suite’s rich set of capabilities, organizations can support the full customer lifecycle from frictionless on-boarding, progressive profiling, easy bootstrapping of new devices, account recovery, suspension and deprovisioning of users, to call center authentication support.

Press assets:

Learn more about the latest Nok Nok Authentication S3 Suite.

About Nok Nok

Nok Nok is a leader in passwordless customer authentication and delivers the most innovative FIDO (Fast IDentity Online) solutions for the authentication market today. Nok Nok empowers organizations to dramatically improve their user experience and security, and reduce operating expenses, while enabling compliance with the most rigorous privacy and regulatory requirements. The Nok Nok™ S3 Authentication Suite integrates into existing security environments to deliver proven, FIDO-enabled passwordless customer authentication. As a founder of the FIDO Alliance and an innovator of FIDO standards, Nok Nok is an expert in next-level, multi-factor authentication. Nok Nok’s global customers and partners include AFLAC Japan, BBVA, Carahsoft, Fujitsu Limited, Hitachi, Intuit, Mastercard, MUFG Bank, NTT DATA, NTT DOCOMO, Standard Bank, T-Mobile, and Verizon.

For more information, https://noknok.com/.

10 Mar

2 Min read

Passkeys Webinar

March 10, 2023 Nok Nok News 0 comments

Nok Nok, Trusona, and the FIDO Alliance invite you to a passkeys webinar. Join Nok Nok’s VP Products Rolf Lindemann, Trusona’s CTO John Summers, and the FIDO Alliance’s Andrew Shikiar, Executive Director and CMO for a passkeys webinar streaming through ZOOM on March 28, 2023 at 9am PT. Top Considerations for Supporting Passkeys In Your Digital Business is designed for digital business leaders and product owners looking to gain a better understanding of the benefits of passkeys and their practical implementation in a digital service.

The panel will discuss the immediate readiness of passkeys and the effort required to support them, along with the UX challenges across multiple user journeys. Additionally, they will explore various deployment options and help attendees get started quickly on their passkey journey.

Key takeaways:

• Passkeys have material business value (e.g. auth success, reduced ATOs, etc.)
• Passkeys require an infrastructure to support
• You can get started today
• Partners can ensure a successful passkey implementation

Mark your calendars for 9am PT on Tuesday, March 28, 2023 and register now for this passkeys webinar, a critical discussion about the value of passkeys.

Nok Nok is the trusted leader in passwordless consumer authentication for the world’s largest organizations. Delivering the most innovative authentication solutions in the market today, Nok Nok empowers global organizations to improve the user experience to access digital services while meeting the most advanced privacy and regulatory requirements. Learn more about Nok Nok here.

Trusona was founded with a simple promise: know who’s on the other end. Since 2015, they’ve helped companies achieve higher levels of assurance in digital identity by moving beyond the vulnerabilities of traditional username/password authentication to passwordless identity authentication. Learn about Trusona here.

The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. The FIDO Alliance promotes the development of, use of, and compliance with standards for authentication and device attestation. Learn more about the FIDO Alliance here.

05 Jul

3 Min read

All The Major Technology Companies Adopt The FIDO Standard

July 5, 2022 Nok Nok News 0 comments

fido standard

14 Jun

2 Min read

Dr. Rolf Lindemann at Authenticate Summit

June 14, 2022 Nok Nok News 0 comments

Dr. Rolf Lindemann at Authenticate Summit

09 Nov

0 Min read

The Future of Authentication with Dr. Rolf Lindemann

November 9, 2021 Nok Nok News 0 comments

02 Apr

3 Min read

How BBVA is using FIDO to protect their customer accounts

April 2, 2021 Nok Nok News 0 comments

Does your bank still think using SMS one-time passcodes are the only additional authentication factors? Mine still does, and I wish I could easily switch to another bank that is more enlightened about their security, such as BBVA. This international bank, which has customers in Spain, the US, Mexico and South America, has been a big supporter of FIDO authentication protocols and uses the Nok Nok S3 Authentication Suite.

Banking is one of the last bastions of old world thinking when it comes to authentication. A quick scan of a directory of banks offering multifactor authentication (MFA) show that most are still stuck in the past. BBVA is the first Spanish bank that has adopted FIDO methods for its customers.

FIDO leverages existing biometric methods for authentication, such as fingerprint and facial recognition, that are built-into the more recent smartphones. This means customers don’t have to go through more complex procedures to secure their transactions. Customers can also quickly check to see which of their phones and laptops have accessed their account with a list of “my secure devices,” which is a quick way to find out who has been authorized to use your account.

Banks though should be more forward-thinking and embrace FIDO, especially those banks that are moving towards having a more capable digital footprint. There are three reasons: First, account takeover fraud is rampant and increasing. Phishing lures are getting better, especially during the pandemic where customers are not necessarily paying attention to dodgy Covid-related messages that could cause a compromised account.

Second, PSD2 regulations require better authentication methods. The latest version of the Payment Services Directive of the EU has created the strong customer authentication requirement for all customer-initiated online payments and bank transfers and the EU began enforcing this requirement last year. This means when a customer wants to transfer funds, for example, they would need to make use of MFA to authenticate themselves. FIDO is one of the easiest and most secure ways to accomplish this, and the Nok Nok tools can enable this “step-up” authentication to make it seamless for the bank’s customers.

This means that authentication is not just accomplished when a customer logs into their account but as needed to safeguard their activities and protect the high risk accounts with a more secure process. The beauty of FIDO is that this protection is delivered without putting an additional burden on the user.

Finally, SMS-based authentication is a security sinkhole and can easily be compromised. The record of various stories about these compromises goes back several years. Most recently was this piece in Vice that described how one third-party utility can be used to gain access to your SMS identity without any subscriber even knowing it has been compromised. Banks really shouldn’t rely on SMS for any authentication activity.

BBVA announced last year that they began deploying Nok Nok’s software across their customer base, and since then many of their customers are using FIDO to authenticate. “Traditionally, one of the biggest challenges of authentication systems has been to balance security with user experience. Due to the FIDO standard, we are confident that both elements work together seamlessly to provide customers with the highest security standards, along with a transparent and agile user experience,” says Juan Francisco Losa, BBVA’s Global Technology and Information Security Officer.

Nok Nok has numerous banking customers using their FIDO tools, including the Iceland-based Landsbankinn and the South African-based Standard Bank. Now if only I could get my own bank on board with FIDO.

04 Mar

4 Min read

Why Intuit picked FIDO

March 4, 2021 Nok Nok News 0 comments

One of the long-time FIDO supporters gave testimony to its biggest benefits at the recent Authentication 2020 conference. The speaker was Marcio Mello, who is the head of Product for Intuit’s identity and profile platform. The benefits are saving money and time when users have to login to their SaaS financial offerings from Intuit.

Intuit was interested in FIDO for many years, and at the beginning of 2020 rolled out a FIDO application for iOS users of TurboTax, its tax preparation package. Now, if you are like me and if you use some form of this software, your goal is to spend as little time as possible using it. When you are done with your taxes and file them with the IRS, you hope this is the last time you will ever see this software until next year. Well, that works against usability in a big way, because most of us don’t remember our account passwords. Mello reminded his audience of this fact: “We have yearly active TurboTax users,” he said during his presentation. “Our users don’t come back anytime soon, so often they don’t remember their account sign-in information and then have to hassle with recovering their accounts.”

This is a perfect use case for FIDO, and Intuit created a new process so they wouldn’t have any passwords to remember. Their goal was to require as few clicks as possible to sign in. “We didn’t want to remain the identity police because we had a poor user experience,” he said. “With the old pre-FIDO ways, users had a lot of data entry to key in. The faster we can get them into our app, the better for everyone. This is because we are all in this together for a passwordless journey. And it is a long-term journey, because it isn’t just offering a quick fix.”

Intuit evaluated various FIDO vendors and picked NokNok’s S3 Authentication Suite. As part of their evaluation, they ran various stakeholder education sessions with everyone that would be involved in the rollout. They approached the project by first building the user interface for sign on and account management, then did a phased launch with the iOS version of TurboTax. Their goal was to get rid of OTP SMS for sign ins. Here is a diagram from Mello’s talk that outlines how they intended to evolve their user interface and authentication policies.

https://www.noknok.com/wp-content/uploads/2021/03/Intuit-Priorities.jpg

He mentioned during his presentation that FIDO offered many benefits:

The ability to future-proof identity standards that are also scalable and customizable.
An opportunity to lower our operational costs.
Improve both security and privacy by having identity credentials that remain on your mobile phone.
Adding friction at the appropriate times when users are doing something riskier on their accounts.

That last point is an important one, because it is a sign of assurance and mutual trust. Before FIDO, there was friction all over the place, which promoted just the opposite intention. They intended to use a combination of visible and invisible signals for fraud detection such as user behavior as part of the authentication process, which is the last line on the chart above.

So what happened? Their results were impressive. They found that since the beginning of the rollout in January 2020, there was a 99% reduction in users having to recover their authentication details and a corresponding big reduction in support costs and phone calls. There was also a 20% improvement in successful sign-ins, when previously moving the needle 1% had proven to be very difficult. There was a 60% reduction in the time it takes to onboard new users through account creation on the iOS app. They quickly got 2/3rd of mobile app sign-ins via FIDO and 23% of their users are now totally passwordless. “It is only a matter of time before all of our users will activate FIDO biometrics on their devices,” said Mello. As part of the FIDO project, they have extended FIDO authentication to other Intuit apps. “One of the advantages of FIDO is that we can customize how the initial authentication dialogs are presented for each of our applications. It isn’t a one-size-fits-all anymore around here.” They are also working on extending FIDO authentication in their browser applications leveraging Nok Nok’s ability to support passwordless authentication across any touchpoint – mobile app, mobile web, pc web and even SmartWatches.

Contact Us

Latest Posts

Navigation

About Us

Recent posts

Missing the Forest for the Trees

Nok Nok’s FedRAMP High Journey: Next Step in Federal Cybersecurity