FIDO | Claims and Calculations | Nok Nok Labs and ThreatMetrix
-
AuthorNok Nok News
-
Published18 Sep 2017
-
0 commentsJoin Conversation
When we started Nok Nok Labs, I often said that our vision for Modern Authentication was that it was a “Game of Signals” – one that consisted of claims & calculations.
Users and devices provide a signal through an authentication claim (e.g. a password, a smart-card, a biometric etc). The relying party would process that claim and then often look at other signals (e.g. location, device integrity signals etc.) and the resulting calculation determined the final result.
Back in 2011 user authentication events were weak signals (e.g. passwords or phishable OTPs or strong authentication that was easily defeated by malware) with no alternatives. As a result, relying parties had to invest deeply in the calculation and amass many more signals to determine the result of the authentication claim. Weak signals create uncertainty and doubt that can cripple the business with excessive friction or create an opportunity for compromising credentials. Indeed, the Verizon Data Breach study reports credential compromise as the leading cause of data breaches. Fully 80% of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords.
Existing strong authentication did not help a lot. It remains shocking to see how much of our deployed “strong authentication” is really vulnerable to phishing, MiTM and malware attacks. Gone are the days when authentication was supposed to be about a magic credential – a complex password, OTP token/smart-cards or assorted fanciful authenticators – that gave you keys to the kingdom.
Our vision led us to create the FIDO Alliance with our partners and seed it with our inventions leading to the first FIDO protocol aimed at strengthening the user-claim so that it could be strong signal. The standards allow the use of ANY method of authentication (e.g. tokens, biometrics, wearables etc.) while maintaining a simple consistent developer API and without changing the backend. It also provides the strong assurance that this was indeed the right user. It also characterizes the authentication environment and resists or eliminates phishing and MiTM attacks because of way we designed the cryptographic protocol.
In a recent speech, Treasury Secretary Steve Mnuchin hailed the FIDO Authentication standards and the FIDO Alliance’s work with NIST as an exemplary innovation in public-private partnerships and vital to enabling financial inclusion and banking the unbanked. We are proud to have contributed in a key role to that partnership with NIST. We continue to be the innovation leader at the FIDO Alliance and a key author/editor of its most widely deployed standards as well its upcoming standards.
Our NNL S3 Authentication platform is the industry’s leading standards-based way to deliver assurance that the business is dealing with the right user, right device and right context for cloud, mobile and IoT applications. The strong signals delivered by our platform can be transformative to risk platforms allowing the business to deliver frictionless user interaction, meet emerging regulations for authentication and data privacy and to personalize user interactions with confidence.
This announcement today by ThreatMetrix validates our vision of Modern Authentication – watch this space for more to come.