Dr. Rolf Lindemann Featured at FIDO Munich

Author
Nok Nok News
Published
14 Jun 2024
0 comments
Join Conversation

Nok Nok’s Dr. Rolf Lindemann Featured at FIDO Munich Seminar 2024: Strengthening Authentication with Passkeys in Automotive and Beyond

Join Dr. Rolf Lindemann and the FIDO Alliance for a seminar in Munich on July 15, 2024 from 1:25 pm to 1:45 pm for a comprehensive dive into passkeys. The seminar will provide an exploration of the current state of passwordless technology, detailed discussions on how passkeys work, their benefits, case studies, and practical implementation strategies and considerations across sectors, including a focus on automotive and payments use cases.

Attendees will also have the opportunity to engage directly with those who are currently implementing FIDO technology through open Q&A and networking – plus the opportunity to see demos and meet the experts that can help move passkey deployments forward.

Fido Alliance Osaka Seminar

Author
Nok Nok News
Published
10 May 2024
0 comments
Join Conversation

Join us in Osaka for a comprehensive dive into passkeys!

Join the FIDO Alliance for a one-day seminar in Osaka for a comprehensive dive into passkeys. The seminar will cover the current state of passwordless technology, a deep dive on how passkeys work, their benefits, practical implementation strategies and considerations, regulatory considerations, and case studies. Attendees will also have the opportunity to engage directly with those who are currently implementing FIDO technology through open Q&A and networking to get first-hand insights on how to move their own passkey deployments forward. Whether you’re a seasoned professional in the field or a newcomer interested in the potential of passwordless technology, this seminar promises to be an informative and engaging experience.

FIDO Seminar at RSA Conference

Author
Nok Nok News
Published
14 Mar 2024
0 comments
Join Conversation

The State of Authentication 2024: The Global Progress Past Passwords

Join the FIDO Alliance and its industry stakeholders from 1:15p to 5:15p, Wednesday May 8th at the Moscone Center in San Francisco to learn about the latest developments in the global movement to passwordless technology for better security and user experiences. Attendees of this seminar will learn about the latest with FIDO and passkeys, hear case studies and achieved benefits from orgs offering passwordless sign-ins, and get best practices for their own implementations.

Authenticate 2024

Author
Nok Nok News
Published
28 Feb 2024
0 comments
Join Conversation

See Nok Nok’s Rolf Lindemann present “Guarding the Gate: Strategies for High Security with Passkeys” on Tuesday October 15th, from 1:30-1:55 pm at Authenticate 2024 in Carlsbad, CA.

Missing the Forest for the Trees

Author
Jackie Comp
Published
17 Nov 2023
0 comments
Join Conversation

New technologies, especially those that are transformational, get scrutinized – that’s normal. The benefits need to be carefully understood along with any potential drawbacks. The danger to progress however, results from an imbalance in focus … when we place too much emphasis on “edge cases” at the sacrifice of all the benefits.

We miss the forest for the trees.

Passkeys are a perfect example. Passkeys (aka passwordless FIDO credentials) are transformational as an authentication approach. They are phishing-resistant, easy to use, and future proof (open standard supported by the ecosystem). While they are still new to most users, passkeys will quickly become the preferred method of authentication in the same way most users happily adopted Touch ID and Face ID when offered for app sign-in.

Simply put, passkeys are more secure and more convenient than passwords and one-time passwords (OTP):

Keys cannot be “phished” (there is no “secret” to share)
Fake sites (man-in-the-middle attacks) will fail because they do not have the appropriate private key to impersonate a user.
Attacks don’t scale because the attacker must physically have the user’s device where the private key is stored, as well as their user verification method (fingerprint, face recognition, etc).
Users don’t need to remember complex passwords or fumble with OTPs — they just sign in with a swipe or look into the camera. The complexity of the private/public keys is behind the scenes.

Although passkeys are vastly more secure and greatly improve the user experience, the attention seems to be focused on the “edge cases” that make them not “perfect”.

Edge Case #1: Unclear how the synced key is protected – what if it is compromised. Synced passkeys may be stored by platform providers like Apple and Google, or they may be protected by password managers. That is no different from passwords. The big difference, however, is that passwords can be easily phished and stolen. While password managers can help prevent phishing, not everyone uses one. Also, the relying party cannot tell if they are using a password manager or how strong the password really is. With passkeys the phishing resistance doesn’t depend on user behavior. It is guaranteed by the standard. And to steal someone’s passkey you’d have to take over their account or trick a provider to restore a key to your device, which is orders of magnitude more difficult to achieve. Is it possible, yes, but the current risk with passwords is far greater.
Edge Case #2: The transport security of the keys is unknown. The protocol may be proprietary to the provider, however the large providers strongly encrypt the passkeys and synchronization of passwords to the cloud uses proprietary protocols, too.
Edge Case #3: The key may have been shared (“AirDropped”). This is true, a user can air drop their passkey to another user. It is also true, however, that someone can just as easily share their password. And, unlike passkeys, passwords can be easily guessed making them much more vulnerable.

Understanding risk is important, but not at the expense of gain.

Imagine all the doors and windows in your house with flimsy padlocks that can be easily snapped off with one kick. You have the opportunity to replace them with a high-security deadbolt system that is resistant to being kicked in. However there is one very tiny window on your 3rd floor that would require a 30 ft ladder and gymnastics across your roof for a thief to reach, but it cannot leverage the new lock system. Since you can’t secure that one window, you decide not to secure any of them.

That’s missing the forest for the trees.

The bottom line is even if you change nothing else, you are greatly reducing your attack surface by implementing passkeys to replace passwords wherever possible. For regulated markets that typically require MFA with strong device binding, you can combine device-bound passkeys with synced passkeys, creating a “trust anchor” to deal with the 3rd floor window.

Nok Nok has all the capabilities and expertise to help you on your journey through the enchanted forest.

Nok Nok’s FedRAMP High Journey: Next Step in Federal Cybersecurity

Author
Nok Nok News
Published
10 Nov 2023
2 comments
Join Conversation

In the world of cybersecurity, the federal government sets some of the most stringent requirements for its suppliers. It’s a landscape where only the best can thrive, and Nok Nok, a pioneer in Fast IDentity Online (FIDO) authentication solutions, has emerged as an important supplier. The company recently achieved the coveted Federal Risk and Authorization Management Program (FedRAMP) High authorization through its partnership with UberEther’s IAM Advantage. This achievement follows its DoD Impact Level 5 (IL5) achieved in 2022 and marks a significant milestone in delivering top-notch cybersecurity to federal agencies, partners, and citizens.

Here are the key takeaways from this latest achievement:

1. Federal Government’s Uncompromising Cybersecurity Standards

The federal government has long been known for its uncompromising cybersecurity standards. In response to the 2021 White House Cybersecurity Executive Order and the subsequent call from US Government CISO Jen Easterly for advanced Multi-Factor Authentication (MFA) based on FIDO standards, the demand for cutting-edge cybersecurity capabilities has never been higher. The government is leading the way in adopting the best of breed cybersecurity measures, making it crucial for suppliers to meet these advanced cybersecurity requirements.

2. Nok Nok’s Unique Position: FIDO and More

Nok Nok’s unique position as one of the original creators of FIDO standards sets it apart. The partnership with UberEther has enabled Nok Nok to provide federal agencies with phishing-resistant MFA that not only meets DoD Impact Level 5 (IL5) and FedRAMP High certifications but also complies with the Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) standards. This combination of expertise and collaboration empowers federal agencies to meet the highest levels of security and regulatory requirements seamlessly.

3. Streamlining Phishing-Resistant Authentication

Nok Nok’s MFA solution offers an effortless and convenient alternative to traditional Personal Identity Verification (PIV) and Common Access Card (CAC) methods. Leveraging the public key cryptography capabilities of modern endpoint devices such as smartphones and PCs as well as security keys, the solution eliminates the need for additional drivers, middleware, or browser plugins. This approach provides a secure and user-friendly way for employees, contractors, and citizens to access information, all while reducing the vulnerabilities and costs associated with password management.

In Conclusion:

Nok Nok and its partnership with UberEther are at the forefront of delivering advanced cybersecurity solutions to the federal government, setting the gold standard for phishing-resistant MFA. With FedRAMP High authorization, FIPS and NIST compliance, and adherence to FIDO standards, Nok Nok and UberEther are ensuring the highest level of security for federal agency employees, contractors, and citizens. As the digital era continues to evolve, Nok Nok is committed to transcending traditional boundaries and meeting the dynamic cybersecurity needs of our modern society.

Top 6 Considerations to Build vs. Buy FIDO-based Passkeys

Author
Nok Nok News
Published
31 Oct 2023
0 comments
Join Conversation

Here we are at the end of Cybersecurity Awareness Month, and you’ve heard vendors declare how their solutions can help make you and your enterprise safe. There is a lot to consider and maybe you are thinking you can solve the problem on your own – and go the “build vs. buy” route. Let’s look at the considerations when it comes to adopting the cutting-edge FIDO-based passkeys as the decision carries considerable weight and potential consequences.

When organizations contemplate the implementation of passkeys as an alternative to traditional passwords, they often start by focusing on the Minimum Viable Product (MVP). However, the real challenge lies beyond the MVP—the unknowns that come with version 1.1 and beyond. The technology landscape is constantly evolving, demanding adaptability and scalability. This is when the decision between starting from scratch and leveraging experienced vendors becomes critical.

Here are 6 considerations for your decision-making process:

1. Completeness: Beyond the Minimum Viable Product

Building a passkey solution from scratch may seem like an attractive proposition, especially for the sake of cost-effectiveness and fitting into existing infrastructure. However, it’s crucial to consider the road beyond the Minimum Viable Product (MVP). Rapid technological advancements necessitate staying up-to-date and future-ready. Vendors with experience in passwordless authentication solutions not only offer much more than a MVP but also pave the way for future expansions and improvements, helping organizations avoid technological dead-ends.

2. Support for Diverse Environments: Native Apps, Web Apps, Devices, and Regulatory Requirements

The ability of passkeys to seamlessly integrate across diverse environments is a fundamental requirement. Most established vendors excel in providing such integration, saving organizations time and resources. In contrast, building this integration in-house can be time-consuming and expensive, especially when compliance requirements need to be addressed. Dedicated passwordless authentication vendors bring years of experience, ensuring compatibility across a wide range of devices and regulatory environments.

3. Seamless Integration and Backend Infrastructure Support

The tech landscape is no longer homogeneous. Maintaining compatibility across various hardware and software versions can be a significant challenge when building in-house. Dedicated vendors can simplify this process by integrating seamlessly with an organization’s existing backend infrastructure, including cloud Hardware Security Modules (HSMs) and Secret Stores. This integration capability minimizes extensive code changes.

4. Maintenance Challenges: Keeping Pace with Specifications

Staying abreast of evolving FIDO and WebAuthn specifications is crucial for passkey solutions. Organizations often underestimate the effort and resources required for ongoing maintenance when building in-house. Partnering with experienced authentication vendors ensures that passkey features remain up-to-date, reducing maintenance burdens and allowing organizations to stay focused on their core objectives.

5. Reducing Development Risks and Project Failures

Homegrown development carries inherent unknown unknowns, particularly when implementing a paradigm like passkeys for the first time. Organizations may overlook critical factors or encounter unexpected challenges, resulting in higher costs, delays, or compromises on user experience. Partnering with an established passwordless authentication provider mitigates these risks by leveraging their extensive experience and lessons learned from successful passkey deployments.

6. Capitalizing on Investment and Experience

While building a passkey solution independently may seem appealing from a cost perspective, it often fails to account for hidden expenses and missed opportunities. Unknown unknowns can be costly both in terms of time and money. Leveraging a vendor like Nok Nok, with expertise and a wealth of investment in FIDO-based implementations, ensures a smoother fit into existing infrastructure and access to valuable intellectual property.

Conclusion

While building a solution from scratch may appear cost-effective or a better fit for existing infrastructure, it often underestimates the maintenance challenges, development risks, and missed opportunities. By leveraging a traditional passwordless vendor’s comprehensive passkey features, organizations can ensure a complete, scalable, secure, and future-proof implementation, benefiting from the expertise and investment of a trusted industry leader.

Authenticate 2023: The Tipping Point for Passkeys and Passwordless Authentication

Author
Matt Lourie
Published
27 Oct 2023
0 comments
Join Conversation

Last week, Nok Nok attended Authenticate 2023, the industry’s only conference dedicated to all aspects of user authentication, with a focus on FIDO. According to a poll, over half of the attendees were new to FIDO, highlighting the growing interest. It was incredible to see how far the industry has come. When the FIDO Alliance was first founded 11 years ago by Nok Nok and 5 other visionary co-founders, passwordless authentication was just a bold theoretical idea. This, however, marked the start of an industry movement to passwordless authentication. With over 600 attendees representing major platforms, vendors, and industries, Authenticate 2023 demonstrated the tremendous momentum and excitement building around passkeys.

Passkey Readiness

Leading up to the conference, Google and Apple made big announcements concerning passkeys. All users signing in to Google accounts will be prompted to create and use passkeys instead of passwords. Similarly, Apple announced their plans to automatically assign a passkey to a user’s Apple ID when it launches iOS 17, iPadOS 17 and macOS Sonoma.

These major industry roll outs signal that passkeys are ready for mainstream adoption everywhere we currently use passwords. There were many sessions on passkey success stories, with practical advice on real-world implementation and deployment considerations.

User Experience is Key for Growth

One key focus at Authenticate 2023 was the importance of optimizing the user experience for passkeys. There were many informative sessions covering how to refine the passkey authentication experience for users. Speakers shared user experience (UX) design principles to keep in mind, accessibility considerations for inclusive authentication, and ideas for balancing strong security with usability in passkey flows. The sessions made clear that while technology may enable passwordless authentication, thoughtfully designing the UX is crucial for driving mass adoption.

FIDO Adoption

With passkeys becoming more widely used, the conference examined deployment challenges, best practices, and lessons learned for a wide range of workforce and consumer-facing use cases. These included fintech (Intuit), media, e-commerce, travel, and gaming. The sessions provided key takeaways for organizations implementing FIDO-based authentication including Nok Nok’s session by Dr. Rolf Lindemann on Strategies for Using Passkeys in Regulated Markets.

FIDO Usage in the Government

Several sessions dove into adoption of FIDO standards and passkeys by government agencies. There was recognition that while Personal Identity Verification (PIV) cards are vital for government use cases, FIDO has an important role to play in addressing gaps where PIV cards are not viable. These insights highlighted the complementary value and growing role passkeys are playing in public sector digital transformation. For more information, see the recently published FIDO Alliance Guidance for the US Government.

From major platform announcements to real-world deployment lessons learned, Authenticate 2023 showcased the enormous progress and potential of passwordless FIDO-based authentication. As passkeys and FIDO standards continue to gain momentum, the conference provides valuable insights for any organization implementing modern authentication.

Nok Nok at the White House

Author
Nok Nok News
Published
11 Aug 2023
0 comments
Join Conversation

Discussion on how the Federal government can support and benefit from advances in phishing-resistant authentication.

Matt Lourie, Sr. Director of Engineering

Last month, Nok Nok Labs attended the White House Multifactor Authentication (MFA) Modernization Symposium. This event brought together government and industry leaders to discuss how to achieve full adoption of MFA across federal agencies, as called for in the Executive Order on Improving the Nation’s Cybersecurity.

Many government agencies currently rely on Personal Identity Verification (PIV) and Common Access (CAC) cards for employee authentication. However, these smart cards are not always convenient for remote access and everyday use. Connecting to a separate card reader can negatively impact user experience. As Deputy National Security Advisor Anne Neuberger noted, government policies should not create barriers to MFA adoption.

There was broad consensus among participants at the symposium that to fully implement MFA, the government needs to move beyond legacy technologies and embrace advanced standards like passkeys. Passkeys are a modern type of credential that can help government agencies finally achieve comprehensive MFA deployment. With passkeys, users authenticate using a cryptographic key pair stored on their device, rather than typing in a password, providing phishing-resistant security without the usability drawbacks of traditional second factors. Passkeys are already supported across major platforms and browsers and can be bound to a single device or synced across multiple devices, making them a practical path to securing access for employees, contractors, and citizens across all applications and environments.

It is clear that the transition to full MFA adoption will take thoughtful planning and cannot happen overnight. With over a decade of experience in authentication and as a founding member of the FIDO Alliance, Nok Nok Labs is well prepared to assist agencies throughout this process of transitioning to full MFA adoption. We understand the unique needs of the government and have solutions to deliver robust security and usability at scale.

While modernizing authentication is no small task, the White House symposium reiterated that it must be a priority if we are to defend our digital infrastructure in today’s threat environment. Public-private collaboration will be key to overcoming roadblocks on the path ahead. Nok Nok Labs looks forward to continuing to work with our partners across government as we chart the course to a passwordless future and a more secure online experience.

Authenticate 2022 The Fido Conference

Author
Nok Nok News
Published
2 Jun 2022
0 comments
Join Conversation

Authenticate 2022, The Fido Conference. Registration is now open and the agenda is now available for #Authenticate2022! Sessions from @ADP, @Citi, @Google, @Microsoft, @Target, and more. Check out the agenda and register here.