17 Nov

4 Min read

Missing the Forest for the Trees

November 17, 2023 Jackie Comp 0 comments

New technologies, especially those that are transformational, get scrutinized – that’s normal. The benefits need to be carefully understood along with any potential drawbacks. The danger to progress however, results from an imbalance in focus … when we place too much emphasis on “edge cases” at the sacrifice of all the benefits.

We miss the forest for the trees.

Passkeys are a perfect example. Passkeys (aka passwordless FIDO credentials) are transformational as an authentication approach. They are phishing-resistant, easy to use, and future proof (open standard supported by the ecosystem). While they are still new to most users, passkeys will quickly become the preferred method of authentication in the same way most users happily adopted Touch ID and Face ID when offered for app sign-in.

Simply put, passkeys are more secure and more convenient than passwords and one-time passwords (OTP):

Keys cannot be “phished” (there is no “secret” to share)
Fake sites (man-in-the-middle attacks) will fail because they do not have the appropriate private key to impersonate a user.
Attacks don’t scale because the attacker must physically have the user’s device where the private key is stored, as well as their user verification method (fingerprint, face recognition, etc).
Users don’t need to remember complex passwords or fumble with OTPs — they just sign in with a swipe or look into the camera. The complexity of the private/public keys is behind the scenes.

Although passkeys are vastly more secure and greatly improve the user experience, the attention seems to be focused on the “edge cases” that make them not “perfect”.

Edge Case #1: Unclear how the synced key is protected – what if it is compromised. Synced passkeys may be stored by platform providers like Apple and Google, or they may be protected by password managers. That is no different from passwords. The big difference, however, is that passwords can be easily phished and stolen. While password managers can help prevent phishing, not everyone uses one. Also, the relying party cannot tell if they are using a password manager or how strong the password really is. With passkeys the phishing resistance doesn’t depend on user behavior. It is guaranteed by the standard. And to steal someone’s passkey you’d have to take over their account or trick a provider to restore a key to your device, which is orders of magnitude more difficult to achieve. Is it possible, yes, but the current risk with passwords is far greater.
Edge Case #2: The transport security of the keys is unknown. The protocol may be proprietary to the provider, however the large providers strongly encrypt the passkeys and synchronization of passwords to the cloud uses proprietary protocols, too.
Edge Case #3: The key may have been shared (“AirDropped”). This is true, a user can air drop their passkey to another user. It is also true, however, that someone can just as easily share their password. And, unlike passkeys, passwords can be easily guessed making them much more vulnerable.

Understanding risk is important, but not at the expense of gain.

Imagine all the doors and windows in your house with flimsy padlocks that can be easily snapped off with one kick. You have the opportunity to replace them with a high-security deadbolt system that is resistant to being kicked in. However there is one very tiny window on your 3rd floor that would require a 30 ft ladder and gymnastics across your roof for a thief to reach, but it cannot leverage the new lock system. Since you can’t secure that one window, you decide not to secure any of them.

That’s missing the forest for the trees.

The bottom line is even if you change nothing else, you are greatly reducing your attack surface by implementing passkeys to replace passwords wherever possible. For regulated markets that typically require MFA with strong device binding, you can combine device-bound passkeys with synced passkeys, creating a “trust anchor” to deal with the 3rd floor window.

Nok Nok has all the capabilities and expertise to help you on your journey through the enchanted forest.

10 Nov

3 Min read

Nok Nok’s FedRAMP High Journey: Next Step in Federal Cybersecurity

November 10, 2023 Nok Nok News 0 comments

In the world of cybersecurity, the federal government sets some of the most stringent requirements for its suppliers. It’s a landscape where only the best can thrive, and Nok Nok, a pioneer in Fast IDentity Online (FIDO) authentication solutions, has emerged as an important supplier. The company recently achieved the coveted Federal Risk and Authorization Management Program (FedRAMP) High authorization through its partnership with UberEther’s IAM Advantage. This achievement follows its DoD Impact Level 5 (IL5) achieved in 2022 and marks a significant milestone in delivering top-notch cybersecurity to federal agencies, partners, and citizens.

Here are the key takeaways from this latest achievement:

1. Federal Government’s Uncompromising Cybersecurity Standards

The federal government has long been known for its uncompromising cybersecurity standards. In response to the 2021 White House Cybersecurity Executive Order and the subsequent call from US Government CISO Jen Easterly for advanced Multi-Factor Authentication (MFA) based on FIDO standards, the demand for cutting-edge cybersecurity capabilities has never been higher. The government is leading the way in adopting the best of breed cybersecurity measures, making it crucial for suppliers to meet these advanced cybersecurity requirements.

2. Nok Nok’s Unique Position: FIDO and More

Nok Nok’s unique position as one of the original creators of FIDO standards sets it apart. The partnership with UberEther has enabled Nok Nok to provide federal agencies with phishing-resistant MFA that not only meets DoD Impact Level 5 (IL5) and FedRAMP High certifications but also complies with the Federal Information Processing Standards (FIPS) and National Institute of Standards and Technology (NIST) standards. This combination of expertise and collaboration empowers federal agencies to meet the highest levels of security and regulatory requirements seamlessly.

3. Streamlining Phishing-Resistant Authentication

Nok Nok’s MFA solution offers an effortless and convenient alternative to traditional Personal Identity Verification (PIV) and Common Access Card (CAC) methods. Leveraging the public key cryptography capabilities of modern endpoint devices such as smartphones and PCs as well as security keys, the solution eliminates the need for additional drivers, middleware, or browser plugins. This approach provides a secure and user-friendly way for employees, contractors, and citizens to access information, all while reducing the vulnerabilities and costs associated with password management.

In Conclusion:

Nok Nok and its partnership with UberEther are at the forefront of delivering advanced cybersecurity solutions to the federal government, setting the gold standard for phishing-resistant MFA. With FedRAMP High authorization, FIPS and NIST compliance, and adherence to FIDO standards, Nok Nok and UberEther are ensuring the highest level of security for federal agency employees, contractors, and citizens. As the digital era continues to evolve, Nok Nok is committed to transcending traditional boundaries and meeting the dynamic cybersecurity needs of our modern society.

31 Oct

4 Min read

Top 6 Considerations to Build vs. Buy FIDO-based Passkeys

October 31, 2023 Nok Nok News 0 comments

Here we are at the end of Cybersecurity Awareness Month, and you’ve heard vendors declare how their solutions can help make you and your enterprise safe. There is a lot to consider and maybe you are thinking you can solve the problem on your own – and go the “build vs. buy” route. Let’s look at the considerations when it comes to adopting the cutting-edge FIDO-based passkeys as the decision carries considerable weight and potential consequences.

When organizations contemplate the implementation of passkeys as an alternative to traditional passwords, they often start by focusing on the Minimum Viable Product (MVP). However, the real challenge lies beyond the MVP—the unknowns that come with version 1.1 and beyond. The technology landscape is constantly evolving, demanding adaptability and scalability. This is when the decision between starting from scratch and leveraging experienced vendors becomes critical.

Here are 6 considerations for your decision-making process:

1. Completeness: Beyond the Minimum Viable Product

Building a passkey solution from scratch may seem like an attractive proposition, especially for the sake of cost-effectiveness and fitting into existing infrastructure. However, it’s crucial to consider the road beyond the Minimum Viable Product (MVP). Rapid technological advancements necessitate staying up-to-date and future-ready. Vendors with experience in passwordless authentication solutions not only offer much more than a MVP but also pave the way for future expansions and improvements, helping organizations avoid technological dead-ends.

2. Support for Diverse Environments: Native Apps, Web Apps, Devices, and Regulatory Requirements

The ability of passkeys to seamlessly integrate across diverse environments is a fundamental requirement. Most established vendors excel in providing such integration, saving organizations time and resources. In contrast, building this integration in-house can be time-consuming and expensive, especially when compliance requirements need to be addressed. Dedicated passwordless authentication vendors bring years of experience, ensuring compatibility across a wide range of devices and regulatory environments.

3. Seamless Integration and Backend Infrastructure Support

The tech landscape is no longer homogeneous. Maintaining compatibility across various hardware and software versions can be a significant challenge when building in-house. Dedicated vendors can simplify this process by integrating seamlessly with an organization’s existing backend infrastructure, including cloud Hardware Security Modules (HSMs) and Secret Stores. This integration capability minimizes extensive code changes.

4. Maintenance Challenges: Keeping Pace with Specifications

Staying abreast of evolving FIDO and WebAuthn specifications is crucial for passkey solutions. Organizations often underestimate the effort and resources required for ongoing maintenance when building in-house. Partnering with experienced authentication vendors ensures that passkey features remain up-to-date, reducing maintenance burdens and allowing organizations to stay focused on their core objectives.

5. Reducing Development Risks and Project Failures

Homegrown development carries inherent unknown unknowns, particularly when implementing a paradigm like passkeys for the first time. Organizations may overlook critical factors or encounter unexpected challenges, resulting in higher costs, delays, or compromises on user experience. Partnering with an established passwordless authentication provider mitigates these risks by leveraging their extensive experience and lessons learned from successful passkey deployments.

6. Capitalizing on Investment and Experience

While building a passkey solution independently may seem appealing from a cost perspective, it often fails to account for hidden expenses and missed opportunities. Unknown unknowns can be costly both in terms of time and money. Leveraging a vendor like Nok Nok, with expertise and a wealth of investment in FIDO-based implementations, ensures a smoother fit into existing infrastructure and access to valuable intellectual property.

Conclusion

While building a solution from scratch may appear cost-effective or a better fit for existing infrastructure, it often underestimates the maintenance challenges, development risks, and missed opportunities. By leveraging a traditional passwordless vendor’s comprehensive passkey features, organizations can ensure a complete, scalable, secure, and future-proof implementation, benefiting from the expertise and investment of a trusted industry leader.

27 Oct

3 Min read

Authenticate 2023: The Tipping Point for Passkeys and Passwordless Authentication

October 27, 2023 Matt Lourie 0 comments

Last week, Nok Nok attended Authenticate 2023, the industry’s only conference dedicated to all aspects of user authentication, with a focus on FIDO. According to a poll, over half of the attendees were new to FIDO, highlighting the growing interest. It was incredible to see how far the industry has come. When the FIDO Alliance was first founded 11 years ago by Nok Nok and 5 other visionary co-founders, passwordless authentication was just a bold theoretical idea. This, however, marked the start of an industry movement to passwordless authentication. With over 600 attendees representing major platforms, vendors, and industries, Authenticate 2023 demonstrated the tremendous momentum and excitement building around passkeys.

Passkey Readiness

Leading up to the conference, Google and Apple made big announcements concerning passkeys. All users signing in to Google accounts will be prompted to create and use passkeys instead of passwords. Similarly, Apple announced their plans to automatically assign a passkey to a user’s Apple ID when it launches iOS 17, iPadOS 17 and macOS Sonoma.

These major industry roll outs signal that passkeys are ready for mainstream adoption everywhere we currently use passwords. There were many sessions on passkey success stories, with practical advice on real-world implementation and deployment considerations.

User Experience is Key for Growth

One key focus at Authenticate 2023 was the importance of optimizing the user experience for passkeys. There were many informative sessions covering how to refine the passkey authentication experience for users. Speakers shared user experience (UX) design principles to keep in mind, accessibility considerations for inclusive authentication, and ideas for balancing strong security with usability in passkey flows. The sessions made clear that while technology may enable passwordless authentication, thoughtfully designing the UX is crucial for driving mass adoption.

FIDO Adoption

With passkeys becoming more widely used, the conference examined deployment challenges, best practices, and lessons learned for a wide range of workforce and consumer-facing use cases. These included fintech (Intuit), media, e-commerce, travel, and gaming. The sessions provided key takeaways for organizations implementing FIDO-based authentication including Nok Nok’s session by Dr. Rolf Lindemann on Strategies for Using Passkeys in Regulated Markets.

FIDO Usage in the Government

Several sessions dove into adoption of FIDO standards and passkeys by government agencies. There was recognition that while Personal Identity Verification (PIV) cards are vital for government use cases, FIDO has an important role to play in addressing gaps where PIV cards are not viable. These insights highlighted the complementary value and growing role passkeys are playing in public sector digital transformation. For more information, see the recently published FIDO Alliance Guidance for the US Government.

From major platform announcements to real-world deployment lessons learned, Authenticate 2023 showcased the enormous progress and potential of passwordless FIDO-based authentication. As passkeys and FIDO standards continue to gain momentum, the conference provides valuable insights for any organization implementing modern authentication.

11 Aug

3 Min read

Nok Nok at the White House

August 11, 2023 Nok Nok News 0 comments

Discussion on how the Federal government can support and benefit from advances in phishing-resistant authentication.

Matt Lourie, Sr. Director of Engineering

Last month, Nok Nok Labs attended the White House Multifactor Authentication (MFA) Modernization Symposium. This event brought together government and industry leaders to discuss how to achieve full adoption of MFA across federal agencies, as called for in the Executive Order on Improving the Nation’s Cybersecurity.

Many government agencies currently rely on Personal Identity Verification (PIV) and Common Access (CAC) cards for employee authentication. However, these smart cards are not always convenient for remote access and everyday use. Connecting to a separate card reader can negatively impact user experience. As Deputy National Security Advisor Anne Neuberger noted, government policies should not create barriers to MFA adoption.

There was broad consensus among participants at the symposium that to fully implement MFA, the government needs to move beyond legacy technologies and embrace advanced standards like passkeys. Passkeys are a modern type of credential that can help government agencies finally achieve comprehensive MFA deployment. With passkeys, users authenticate using a cryptographic key pair stored on their device, rather than typing in a password, providing phishing-resistant security without the usability drawbacks of traditional second factors. Passkeys are already supported across major platforms and browsers and can be bound to a single device or synced across multiple devices, making them a practical path to securing access for employees, contractors, and citizens across all applications and environments.

It is clear that the transition to full MFA adoption will take thoughtful planning and cannot happen overnight. With over a decade of experience in authentication and as a founding member of the FIDO Alliance, Nok Nok Labs is well prepared to assist agencies throughout this process of transitioning to full MFA adoption. We understand the unique needs of the government and have solutions to deliver robust security and usability at scale.

While modernizing authentication is no small task, the White House symposium reiterated that it must be a priority if we are to defend our digital infrastructure in today’s threat environment. Public-private collaboration will be key to overcoming roadblocks on the path ahead. Nok Nok Labs looks forward to continuing to work with our partners across government as we chart the course to a passwordless future and a more secure online experience.

02 Jun

1 Min read

Authenticate 2022 The Fido Conference

June 2, 2022 Nok Nok News 0 comments

Authenticate 2022, The Fido Conference. Registration is now open and the agenda is now available for #Authenticate2022! Sessions from @ADP, @Citi, @Google, @Microsoft, @Target, and more. Check out the agenda and register here.

21 Dec

2 Min read

FIDO Alliance To Conduct Certified Professionals Webinar On December

December 21, 2021 Nok Nok News 0 comments

Following the October announcement of the FIDO Certified Professional Program, FIDO Alliance will conduct the FIDO Certified Professionals webinar on December 16, 2021. The webinar, which will start at 11 am PT (2 pm ET), will feature Dr. Rae Rivera.

In line with this, FIDO Alliance will conduct the FIDO Certified Professionals webinar on December 16, 2021. The webinar, which will start at 11 am PT (2 pm ET), will feature Dr. Rae Rivera.

Dr. Rivera, FIDO Alliance’s Certification Director, will talk about what is involved in FIDO Certified Professional Program, how it can help you or your organization, and what to consider to know if you should get certified.

The program highlights the growth in FIDO adoption, which has seen momentum worldwide. It aims to increase the number of available experts who can support businesses in the implementation of stronger FIDO authentication solutions. This way, more organizations can expect the faster roll-out of FIDO adoption with the help of FIDO-certified professionals. The latest certification program will open in early 2022.

Various types of organizations from different industries can benefit from the program, including job functions like identity and access management professionals, security professionals, systems and operations engineers, and technology architects.

FIDO Alliance conducts multiple certification programs, including those related to function, cyber security, and biometrics. The FIDO Certified Professional Program is seen to complement these by formally recognizing knowledge of online security and authentication professionals. It is an assessment and validation of expertise on FIDO standards and authentication technologies.

FIDO-certified experts will have the necessary technical knowledge to analyze business requirements. They can also help design a suitable FIDO architecture to address their needs.

FIDO Alliance is an association composed of multiple organizations that want to develop and promote authentication standards. Thus, hoping to reduce overreliance on passwords when it comes to security. It is known to establish and share industry best practices in cyber security and authentication solutions. It helps organizations deal with security challenges by providing guides for more secure alternatives.

Increasing the number of authentication experts globally through the FIDO Certified Professional Program will give more organizations access to talented and skilled professionals. You can check out the FIDO Certified Professional Program page and register for updates.

If you have questions about the program, you can also attend the webinar. Register here and see you on December 16!

08 Sep

2 Min read

Nok Nok at Authenticate 2021

September 8, 2021 Nok Nok News 0 comments

Nok Nok will have a booth and speaking slot at The Authenticate 2021 Conference in Seattle Washington from 10/18 -10/20.

Authenticate 2021 will focus again on providing excellent content – helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. You have an opportunity to be part of it!

Relying on passwords is passé. Modern authentication systems and standards have emerged to provide more efficient ways for organizations to provide strong security and better interactions with their brands.

Welcome to Authenticate, the industry’s only conference dedicated to the who, what, why, and how of user authentication – with a focus on the FIDO standards-based approach. Authenticate, hosted by FIDO Alliance, is the place for CISOs, security strategists, enterprise architects, and product and business leaders to get all of the education, tools, and best practices to roll out modern authentication across the web, enterprise, and government applications.

Authenticate 2020 featured 50+ sessions, including detailed case studies, technical tutorials, and expert panels — all helping educate attendees on business drivers, technical considerations, and overall best practices for deploying modern authentication systems. The 2021 event will again focus on providing excellent content, a dynamic expo hall, and other networking opportunities while adhering to all CDC and local health/distancing requirements.

After years of increasingly severe data breaches and user login frustration, now is the time to embrace a new way to authenticate. Join us at Authenticate 2021, and come away with the tools to move past passwords.

Join us at Authenticate 2021!

12 Feb

5 Min read

Nok Nok Welcomes Apple to FIDO

February 12, 2020 Nok Nok News 0 comments

Nok Nok welcomes Apple to the FIDO Alliance and reports record growth.

Nok Nok, the leader in passwordless authentication, today announced a record year following broad industry acceptance of FIDO standards – and evidenced by the news that Apple, Inc. is now a member of the FIDO Alliance and has taken a leadership role as a board member. The FIDO Alliance, co-founded by Nok Nok and publicly launched in 2013, addresses industry needs for strong authentication without sacrificing ease of use, while reducing friction and vulnerabilities that often result from the use of passwords for authentication.

As broad industry acceptance of the FIDO standards continued in 2019, Nok Nok’s new customer deployments increased, existing customer renewals expanded, and Nok Nok released innovative technology with support for additional use cases. Also contributing to Nok Nok’s success were new global strategic partnerships, recognition and a prized GLOMO award from the GSMA, as well as increased market demand driven by global regulations that mandate strong authentication for online services.

“Nok Nok Labs and FIDO have both reached significant milestones today. When we first invented FIDO-enabled technology, it was clear that privacy and security would need to be hand-in-hand and at the heart of any authentication solution. To have Apple join the FIDO journey is a testament to our original vision of enabling strong authentication across all platforms,” said Phillip Dunkelberger CEO Nok Nok Labs. “It’s incredibly rewarding to have the world’s largest and most successful browser manufacturers, banks, telcos, eCommerce and healthcare providers join the movement we started in 2013 to solve global user authentication challenges.”

Nok Nok Solutions for the Apple Ecosystem

Since 2014, Nok Nok has supported Apple native applications on iOS devices – iPad and iPhone, and in November 2019 Nok Nok introduced the Nok Nok App SDK for Smart Watch. Now with Apple a part of the FIDO Alliance, it signals the opportunity for users of any Apple device to employ strong authentication. The Nok Nok™ S3 Authentication Suite supports strong and convenient user authentication on Apple devices – through native Mobile Apps and through the recently added FIDO support in Safari. Apple’s membership in the FIDO Alliance fuels the speculation of now being able to use FaceID/TouchID for FIDO authentication through the Safari Browser.

“Apple joining this alliance is an important signal,” said Richard Clarke, former Special Advisor to the President on Cybersecurity, and Advisory Board member to Nok Nok Labs. “Password-related breaches are far more prevalent than they should be given the alternatives we have available. Apple and other Alliance members are transforming digital identity by committing to secure, standards-based authentication. It’s a step in the responsible direction for corporations and the customers whose data they are responsible for protecting.”

“The FIDO Alliance gained a valuable member today,” said John N. Stewart, Security Expert and former Advisory Board Member to Nok Nok Labs. “By joining industry counterparts like Google and Microsoft, Apple has become the final puzzle piece with FIDO now adopted by all major browser manufacturers.”

Accelerating Market and Nok Nok Momentum

Apple is the most recent industry player to join the wave of FIDO adoption over the past year. The convergence of industry support, global regulations and market demand for Nok Nok’s passwordless authentication solutions has driven global deployments and adoption. Leading financial institutions, such as BBVA have deployed Nok Nok’s solutions to provide passwordless authentication while enabling them to comply with GDPR and PSD2 requirements. Nok Nok customers Intuit and T-Mobile shared the results of their deployments at Identiverse including the unique benefit that Nok Nok’s technology increased Intuit’s login success rate by 6% and decreased T-Mobile’s “Forgot Password” user requests from 65% to 7%. And, Nok Nok’s strategic partners saw successful new deployments such as Fujitsu – whose client Aflac Japan deployed passwordless authentication and Hitachi with their client MUFG Bank.

2019 was a momentum filled year for Nok Nok and the FIDO Alliance. And now recognizing Apple joining the FIDO Alliance in early 2020 signals even more industry adoption to follow.

About Nok Nok
Nok Nok is the trusted leader in passwordless consumer authentication. Delivering the most innovative authentication solutions in the market today, Nok Nok empowers global organizations to improve the user experience to access digital services, while meeting the most advanced privacy and regulatory requirements. The Nok Nok™ S3 Authentication Suite integrates into existing security environments to deliver a cost-effective, future-proof and standards-based authentication solution. Headquartered in Silicon Valley, California, the company has delivered unique inventions and innovations that are protected by a robust global patent portfolio. As a founder of the FIDO Alliance and inventor of FIDO specifications, Nok Nok is the expert in deploying standards-based authentication, and its industry leading customers and partners include BBVA, DDS, Inc., Ericsson, Fujitsu Limited, Hitachi, Intuit, Lenovo, MTRIX GmbH, NTT DATA, NTT DOCOMO, OneSpan, SoftBank, Standard Bank, and T-Mobile.

View the Official Press Release

Contact Us

Latest Posts

Navigation

About Us

Recent posts

Missing the Forest for the Trees

Nok Nok’s FedRAMP High Journey: Next Step in Federal Cybersecurity